Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2016-20067

CVE-2016-20067: WordPress CP Polls CSRF Vulnerability

CVE-2016-20067 is a cross-site request forgery flaw in WordPress CP Polls 1.0.8 that enables attackers to execute unauthorized poll operations via malicious pages. This article covers technical details, impact, and mitigation.

Published:

CVE-2016-20067 Overview

CVE-2016-20067 is a cross-site request forgery (CSRF) vulnerability affecting the WordPress CP Polls plugin version 1.0.8. The flaw allows attackers to trigger unauthorized poll operations when an authenticated administrator visits a malicious page. Exploitation requires no special privileges from the attacker, only that a logged-in administrator interacts with attacker-controlled content. The vulnerability is tracked under CWE-352: Cross-Site Request Forgery.

Critical Impact

Attackers can craft malicious HTML pages that force authenticated WordPress administrators to execute unwanted poll management actions, undermining the integrity of polling data on affected sites.

Affected Products

  • WordPress CP Polls plugin version 1.0.8
  • WordPress sites running the vulnerable plugin with administrator sessions
  • Any WordPress deployment where administrators access untrusted web content while authenticated

Discovery Timeline

  • 2026-06-15 - CVE-2016-20067 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2016-20067

Vulnerability Analysis

The CP Polls plugin fails to validate the origin and authenticity of state-changing HTTP requests. WordPress provides nonce tokens through functions such as wp_nonce_field() and check_admin_referer() to prevent CSRF, but the plugin does not enforce these checks on poll management endpoints. As a result, a browser session belonging to an authenticated administrator will automatically attach session cookies to any forged request, allowing the server to process attacker-supplied parameters as legitimate administrative actions.

The vulnerability scope extends to any administrative action exposed by the plugin, including creating, modifying, or removing polls. While the confidentiality impact is limited, the integrity of poll data and the trust model of the administrative interface are degraded.

Root Cause

The root cause is the absence of anti-CSRF tokens on plugin endpoints that perform state changes. The plugin relies solely on session authentication, which is insufficient because browsers transmit cookies automatically with cross-origin requests. Without per-request nonce validation, the application cannot distinguish between a deliberate administrative action and a forged request initiated by a third-party site.

Attack Vector

An attacker hosts a page containing an auto-submitting HTML form or image tag targeting the vulnerable plugin endpoint. When an authenticated WordPress administrator visits the page, the browser issues the request with valid session cookies. The plugin processes the request and performs the requested poll operation. Refer to the Exploit-DB entry 39513 and the VulnCheck advisory for proof-of-concept details.

Detection Methods for CVE-2016-20067

Indicators of Compromise

  • Unexpected poll creation, modification, or deletion events in the WordPress administrative audit log
  • HTTP POST requests to CP Polls plugin endpoints lacking a valid _wpnonce parameter
  • Referer headers on poll management requests originating from domains outside the WordPress site
  • Administrator account activity correlated with visits to unfamiliar external URLs

Detection Strategies

  • Inspect web server access logs for POST requests to wp-admin/admin.php with CP Polls action parameters and external Referer values
  • Deploy a Web Application Firewall (WAF) rule that flags state-changing plugin requests missing the WordPress nonce token
  • Correlate administrator browser telemetry with subsequent WordPress administrative actions to identify forged requests

Monitoring Recommendations

  • Enable WordPress audit logging plugins to record all poll-related administrative changes with originating IP and Referer
  • Alert on installations of CP Polls version 1.0.8 across managed WordPress environments
  • Monitor outbound browsing activity from administrator workstations for known malicious or newly registered domains

How to Mitigate CVE-2016-20067

Immediate Actions Required

  • Identify all WordPress instances running the CP Polls plugin and confirm the installed version
  • Disable or remove the CP Polls plugin on any site where an updated, patched version is not available
  • Require administrators to log out of WordPress sessions when browsing untrusted sites

Patch Information

No vendor patch is referenced in the available advisory data. Administrators should consult the VulnCheck WordPress Advisory for current vendor status and replace the plugin with a maintained alternative if no fixed release exists.

Workarounds

  • Deploy WAF rules that enforce the presence of valid WordPress nonce tokens on plugin administrative endpoints
  • Restrict access to the WordPress administrative interface by source IP address using server configuration
  • Use a dedicated browser profile or isolated session for WordPress administration to limit exposure to cross-origin requests
  • Enforce SameSite=Strict cookies on the WordPress session cookie where compatible with the deployment
bash
# Example: deactivate the vulnerable plugin via WP-CLI
wp plugin deactivate cp-polls
wp plugin delete cp-polls

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne