CVE-2016-20067

MEDIUM

WordPress CP Polls 1.0.8 Cross-Site Request Forgery

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20067. PoCs published by i0akiN SEC-LABORATORY.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in WordPress CP Polls 1.0.8, allowing an attacker to update poll settings and inject persistent XSS payloads. It also includes a proof-of-concept for a reflected file download attack and cross-site file upload with persistent XSS.

Description

WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in.

Exploits (1)

exploitdb WORKING POC
by i0akiN SEC-LABORATORY · textwebappsphp
https://www.exploit-db.com/exploits/39513

The exploit demonstrates a CSRF vulnerability in WordPress CP Polls 1.0.8, allowing an attacker to update poll settings and inject persistent XSS payloads. It also includes a proof-of-concept for a reflected file download attack and cross-site file upload with persistent XSS.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: WordPress CP Polls 1.0.8
No auth needed
Prerequisites: Victim must be logged in as an administrator · Attacker must know the poll ID
devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit exploit
ExploitDB-39513
https://www.exploit-db.com/exploits/39513
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress CP Polls 1.0.8 Cross-Site Request Forgery
https://www.vulncheck.com/advisories/wordpress-cp-polls-cross-site-request-forgery

Scores

CVSS v3 4.3
EPSS 0.0012
EPSS Percentile 1.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
dwbooster/CP Polls 1.0.8
Published Jun 15, 2026
Tracked Since Jun 15, 2026