CVE-2025-5841
Published
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
The ACF Onyx Poll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
<p><strong><em>This plugin requires <a href="https://www.advancedcustomfields.com/pro/" rel="nofollow ugc">ADVANCED CUSTOM FIELD PRO</a> installed.</em></strong></p>
<p>Plugin for polls based on regular WordPress and acf (advanced custom fields) functionalities using <strong>WP REST API</strong> and <strong><em>Javascript</em></strong> methods.</p>
<p>The main goal of ACF Onyx Poll is to be <strong>totally free, lightweight and simple</strong>. No fancy, colorful and polluted options or donate screens.</p>
<p>This plugin is based on <a href="https://twitter.com" rel="nofollow ugc">Twitter</a> poll cards style.</p>
<h4>Features</h4>
<p>✔ <strong>Gutemberg Block</strong> with live preview<br />
✔ Include poll with a shortcode (ommit the ID to get the latest poll) <code>[onyx-poll id=XX class="left|right|full"]</code><br />
✔ One click to vote<br />
✔ Works with cache plugins<br />
✔ Multiple polls per page<br />
✔ Support for images<br />
✔ Native widget for sidebar<br />
✔ Multiple style options <code>[onyx-poll class="twitter|standard"]</code><br />
✔ Show poll in a modal<br />
✔ Show poll results on widget after expired<br />
✔ Highlight choosed choice in results area<br />
✔ Limit vote by device or time<br />
✔ Poll activation/expiration schedule<br />
✔ Results in percentage, numbers or both<br />
✔ Show/Hide results<br />
✔ Customize css with css variables<br />
✔ Disable all plugin CSS and use your own<br />
✔ Custom columns on WordPress data table admin area<br />
✔ Translations support</p>
<h4>Observations</h4>
<ul>
<li>
<p>This plugin does not support Internet Explorer Browser. One of the goals of this plugin is to be js/css lightweight and jQuery free.</p>
</li>
<li>
<p>ACF Onyx Poll <a href="https://www.advancedcustomfields.com/resources/register-fields-via-php/" rel="nofollow ugc">register fields via php</a> to be able to use WordPress translation functions for field labels. So you won’t be able to view/edit the fields inside ACF Custom Fields Settings.</p>
</li>
<li>
<p>To enable a better/faster <strong>CRON</strong> you need to manually set your host cronjob to get <em>https://domain.tld/wp-json/onyx/polls/cron</em> endpoint or disable WP-Cron <code>define('DISABLE_WP_CRON', true);</code> inside your wp-config and manually create the cron in your host/server</p>
<ul>
<li>
<p><strong>Option 1</strong>: To run every hour set the cron: <br /> <code>0 * * * * wget -q -O - https://domain.tld/wp-json/onyx/polls/cron > /dev/null 2>&1</code></p>
</li>
<li>
<p><strong>Option 2</strong>: if you disable the default WP-Cron: <br /> <code>0 * * * * wget -q -O - https://domain.com/wp-cron.php?doing_wp_cron > /dev/null 2>&1</code></p>
</li>
</ul>
</li>
</ul>
WordPress Plugin Directory