3 results (0.003 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

Vinoj Cardoza WordPress Poll Plugin v36 and lower executes SQL statement passed in via the pollid POST parameter due to a lack of user input escaping. This allows users who craft specific SQL statements to dump the entire targets database. Vinoj Cardoza WordPress Poll Plugin versión v36 e inferior, ejecuta la sentencia SQL pasada por medio del parámetro POST pollid debido a una falta de escape de entrada del usuario. Esto permite a usuarios que diseñan sentencias SQL específicas volcar toda la base de datos de objetivos The Poll Plugin for WordPress is vulnerable to blind SQL Injection via the 'pollid' parameter in versions up to, and including, 36 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://wordpress.org/plugins/cardoza-wordpress-poll https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 1

Multiple security bypass vulnerabilities in the editAnswer, deleteAnswer, addAnswer, and deletePoll functions in WordPress Poll Plugin 34.5 for WordPress allow a remote attacker to add, edit, and delete an answer and delete a poll. Múltiples vulnerabilidades de seguridad en las funciones editAnswer, deleteAnswer, addAnswer y deletePoll en WordPress Poll Plugin versión 34.5 para WordPress, permiten a un atacante remoto agregar, editar y eliminar una respuesta y eliminar una encuesta. Multiple security bypass vulnerabilities in the editAnswer, deleteAnswer, addAnswer, and deletePoll functions in WordPress Poll Plugin 34.05 for WordPress allow a remote attacker to add, edit, and delete an answer and delete a poll. Cardoza WordPress Poll plugin version 34.05 suffers from multiple remote SQL injection vulnerabilities. • http://www.securityfocus.com/bid/57479 https://exchange.xforce.ibmcloud.com/vulnerabilities/81467 https://www.securityfocus.com/archive/1/525370 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 1

Multiple SQL injection vulnerabilities in CWPPoll.js in WordPress Poll Plugin 34.5 for WordPress allow attackers to execute arbitrary SQL commands via the pollid or poll_id parameter in a viewPollResults or userlogs action. Múltiples vulnerabilidades de inyección SQL en el archivo CWPPoll.js en WordPress Poll Plugin versión 34.5 para WordPress, permiten a atacantes ejecutar comandos SQL arbitrarios por medio del parámetro pollid o poll_id en una acción viewPollResults o userlogs. Cardoza WordPress Poll plugin version 34.05 suffers from multiple remote SQL injection vulnerabilities. • http://www.securityfocus.com/bid/57479 https://exchange.xforce.ibmcloud.com/vulnerabilities/81466 https://www.securityfocus.com/archive/1/525370 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •