CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12115 – Poll Maker <= 5.5.4 - Cross-Site Request Forgery to Poll Duplication
https://notcve.org/view.php?id=CVE-2024-12115
06 Dec 2024 — The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.4. This is due to missing or incorrect nonce validation on the duplicate_poll() function. This makes it possible for unauthenticated attackers to duplicate polls via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/changeset/3202972/poll-maker/tags/5.5.5/includes/lists/class-poll-maker-polls-list-table.php?old=3202972&old_path=poll-maker%2Ftags%2F5.5.4%2Fincludes%2Flists%2Fclass-poll-maker-polls-list-table.php • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9874 – WordPress Poll Maker Plugin <= 5.4.6 - Authenticated (Administrator+) Time-Based SQL Injection
https://notcve.org/view.php?id=CVE-2024-9874
08 Nov 2024 — The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive... • https://packetstormsecurity.com/files/179500/WordPress-Poll-Maker-5.3.2-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9462 – Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.4.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Poll Settings
https://notcve.org/view.php?id=CVE-2024-9462
25 Oct 2024 — The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations w... • https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.6/includes/lists/class-poll-maker-polls-list-table.php#L244 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9475 – Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.4.6 - Authenticated (Administrator+) SQL Injection via Order_by Parameter
https://notcve.org/view.php?id=CVE-2024-9475
25 Oct 2024 — The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the order_by parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitiv... • https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.5/includes/lists/class-poll-maker-each-results-poll-list-table.php#L56 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3600 – Poll Maker – Best WordPress Poll Plugin <= 5.1.8 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-3600
18 Apr 2024 — The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page. El complemento Poll Maker – Best WordPress Poll Plugin para WordPre... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3601 – Poll Maker – Best WordPress Poll Plugin <= 5.1.8 - Missing Authorization to Unauthenticated Email Enumeration
https://notcve.org/view.php?id=CVE-2024-3601
18 Apr 2024 — The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to extract email addresses by enumerating them one character at a time. El complemento Poll Maker – Best WordPress Poll Plugin para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de c... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41871 – WordPress Poll Maker Plugin <= 4.7.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41871
05 Sep 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Poll Maker Team Poll Maker plugin <= 4.7.0 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento Poll Maker Team Poll Maker en versiones <= 4.7.0. The Poll Maker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary... • https://patchstack.com/database/vulnerability/poll-maker/wordpress-poll-maker-best-wordpress-poll-plugin-plugin-4-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34013 – WordPress Poll Maker Plugin <= 4.6.2 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-34013
26 Jun 2023 — Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker – Best WordPress Poll Plugin.This issue affects Poll Maker – Best WordPress Poll Plugin: from n/a through 4.6.2. Vulnerabilidad de Server-Side Request Forgery (SSRF) en Poll Maker Team Poll Maker – Best WordPress Poll Plugin. Este problema afecta a Poll Maker – Best WordPress Poll Plugin: desde n/a hasta 4.6.2. The Poll Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 4.6.2... • https://patchstack.com/database/vulnerability/poll-maker/wordpress-poll-maker-plugin-4-6-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1456 – Poll Maker < 4.0.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1456
04 May 2022 — The Poll Maker WordPress plugin before 4.0.2 does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfiltered_html is disallowed El plugin Poll Maker de WordPress versiones anteriores a 4.0.2, no sanea y escapa de algunos parámetros, lo que podría permitir a usuarios con altos privilegios, como los administradores, llevar a cabo un ataque de tipo Cross-Site Scripting Almacenado incluso cuando unfiltered_html es... • https://wpscan.com/vulnerability/1f41fc5c-18d0-493d-9a7d-8b521ab49f85 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-24651 – Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection
https://notcve.org/view.php?id=CVE-2021-24651
13 Sep 2021 — The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. El plugin Poll Maker de WordPress versiones anteriores a 3.4.2, permite a usuarios no autenticados llevar a cabo una inyección SQL por medio de la acción ays_finish_poll AJAX. Mientras que el resultado no se revela en la respuesta, es posible us... • https://wpscan.com/vulnerability/24f933b0-ad57-4ed3-817d-d637256e2fb1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-203: Observable Discrepancy •