Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-46466

CVE-2025-46466: Modern Polls CSRF Vulnerability

CVE-2025-46466 is a Cross-Site Request Forgery flaw in the Modern Polls WordPress plugin that enables stored XSS attacks. This article covers the technical details, affected versions through 1.0.10, security impact, and mitigation.

Published:

CVE-2025-46466 Overview

CVE-2025-46466 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Modern Polls plugin developed by felixtz. This security flaw enables attackers to chain CSRF with Stored Cross-Site Scripting (XSS), allowing malicious actors to inject persistent scripts into the WordPress site through forged requests. When a logged-in administrator visits a malicious page, the attacker can exploit the lack of CSRF protection to inject XSS payloads that persist in the application and execute in the browsers of subsequent visitors.

Critical Impact

Attackers can leverage this CSRF-to-Stored-XSS chain to hijack administrator sessions, inject malicious scripts, deface websites, redirect visitors to phishing pages, or steal sensitive user data from the affected WordPress installation.

Affected Products

  • WordPress Modern Polls plugin version 1.0.10 and earlier
  • All WordPress installations running the vulnerable Modern Polls plugin versions

Discovery Timeline

  • 2025-04-24 - CVE-2025-46466 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-46466

Vulnerability Analysis

This vulnerability combines two attack vectors: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The Modern Polls plugin fails to implement proper CSRF token validation on its administrative endpoints, allowing attackers to craft malicious requests that execute in the context of an authenticated administrator's session.

The attack requires user interaction, specifically the victim must be authenticated as an administrator and visit a malicious page controlled by the attacker. Once the CSRF attack succeeds, the injected XSS payload becomes stored in the database and persists across page loads, affecting all users who subsequently view the compromised poll content.

The vulnerability affects confidentiality, integrity, and availability with limited impact in each area. The scope is changed, meaning the vulnerable component (the plugin) can impact resources beyond its security scope, potentially affecting the broader WordPress installation and its visitors.

Root Cause

The root cause of this vulnerability is the absence of proper anti-CSRF token verification in the Modern Polls plugin's administrative functions combined with insufficient output encoding when rendering user-controlled data. The plugin fails to validate that state-changing requests originate from the legitimate application interface, and does not properly sanitize stored data before rendering it in the browser.

Attack Vector

The attack is network-based and requires user interaction. An attacker must craft a malicious webpage or email containing a hidden form or JavaScript that targets the vulnerable endpoints in the Modern Polls plugin. When an authenticated WordPress administrator visits the attacker-controlled page, the browser automatically sends the forged request with the admin's session cookies. The malicious payload then gets stored in the database, where it executes whenever the affected poll content is rendered.

The attack does not require any privileges on the target system, as the attacker leverages the victim administrator's existing authenticated session to perform the malicious action.

Detection Methods for CVE-2025-46466

Indicators of Compromise

  • Unexpected JavaScript code or HTML elements in poll question or answer fields
  • Suspicious outbound network requests from the WordPress site to unknown domains
  • Unusual administrator activity patterns, particularly poll modifications without corresponding legitimate admin sessions
  • Browser console errors related to Content Security Policy violations when viewing polls

Detection Strategies

  • Review WordPress database entries for the Modern Polls plugin for unexpected script tags or event handlers
  • Monitor HTTP access logs for requests to Modern Polls administrative endpoints with external referrer headers
  • Implement Content Security Policy headers to detect and block inline script execution
  • Deploy web application firewall rules to detect XSS payload patterns in POST requests

Monitoring Recommendations

  • Enable detailed logging for all WordPress administrative actions
  • Configure alerts for modifications to poll content outside of normal administrative workflows
  • Monitor for JavaScript execution from stored content in poll displays
  • Implement file integrity monitoring to detect unauthorized changes to plugin files

How to Mitigate CVE-2025-46466

Immediate Actions Required

  • Disable or remove the Modern Polls plugin if not essential to site functionality
  • Audit existing poll content for any injected malicious scripts or suspicious HTML
  • Clear any cached pages that may contain stored XSS payloads
  • Review administrator session logs for suspicious activity patterns

Patch Information

Currently, no patch has been confirmed for this vulnerability. The issue affects Modern Polls version 1.0.10 and all earlier versions. Administrators should monitor the Patchstack Vulnerability Report for updates on available fixes.

Workarounds

  • Remove the Modern Polls plugin entirely until a security patch is available
  • Implement a Web Application Firewall (WAF) with CSRF and XSS protection rules
  • Restrict administrative access to trusted IP addresses only
  • Add Content-Security-Policy headers to mitigate XSS impact
  • Ensure administrators do not browse untrusted websites while logged into WordPress
bash
# Add Content-Security-Policy header in .htaccess as a defense-in-depth measure
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
</IfModule>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.