CVE-2020-11673
CRITICALResponsive Poll < 1.3.4 - Unauthenticated Poll Manipulation via wp_ajax_nopriv Callback
Title source: llmDescription
An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/poll-wp/#developers
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/pak0s/05a0e517aeff4b1422d1a93f59718459
Scores
CVSS v3
9.8
EPSS
0.0352
EPSS Percentile
87.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (1)
total-soft/responsive_poll
< 1.3.4
Published
Apr 13, 2020
Tracked Since
Feb 18, 2026