The tosend.it Simple Poll plugin versions up to 1.1.1 contain a CSRF vulnerability that enables stored XSS attacks. This means an attacker can trick an authenticated user into submitting unauthorized requests that result in malicious scripts being stored and executed within the application context. The vulnerability is remotely exploitable without privileges but requires user interaction. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with low impact on availability.

Successful exploitation of this vulnerability could allow an attacker to execute stored XSS attacks via CSRF, potentially leading to session hijacking, unauthorized actions, or other malicious activities within the context of the vulnerable application. The impact includes partial loss of confidentiality, integrity, and availability as indicated by the CVSS score.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or workaround is provided in the available data, users should monitor the vendor's communications for updates. In the meantime, consider implementing CSRF protections such as anti-CSRF tokens and restricting user permissions where possible to reduce risk.