PatchSiren cyber security CVE debrief
CVE-2016-20066 dwbooster CVE debrief
CVE-2016-20066 is a persistent cross-site scripting (XSS) vulnerability in WordPress CP Polls 1.0.8. The vulnerability allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content. The CVSS score for this vulnerability is 5.1, indicating a medium severity.
- Vendor
- dwbooster
- Product
- CP Polls
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WordPress CP Polls 1.0.8 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by unsanitized file uploads in WordPress CP Polls 1.0.8. Attackers can exploit this vulnerability by uploading malicious files with script payloads, which can then be executed in the browsers of users viewing the affected content.
Defensive priority
Medium
Recommended defensive actions
- Update to a patched version of WordPress CP Polls, if available.
- Implement additional security measures, such as input validation and sanitization, to prevent similar vulnerabilities.
Evidence notes
The CVE record for CVE-2016-20066 was obtained from the official CVE website [cve-org]. Additional information was obtained from the National Vulnerability Database [nvd] and source references [ref-4], [ref-5].
Official resources
CVE-2016-20066 was published on 2026-06-15T14:16:27.807Z and has not been modified since then.