CVE-2024-9475
MEDIUMPoll Maker < 5.4.6 - Authenticated SQL Injection via order_by Parameter
Title source: llmDescription
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the order_by parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References (2)
Core 2
Scores
CVSS v3
4.9
EPSS
0.0048
EPSS Percentile
37.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (2)
ays-pro/Poll Maker – Versus Polls, Anonymous Polls, Image Polls
< 5.4.6
ays-pro/poll_maker
< 5.4.7
Published
Oct 26, 2024
Tracked Since
Feb 18, 2026