CVE-2021-24483SQL Injection in PRO Poll Maker

CWE-89SQL Injection3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.6%
top 31.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
AYS PRO Poll MakerAys-pro Poll Maker
Timeline
PublishedAug 2
Latest updateMay 24

Description

The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5ays_pro/poll_maker3.2.13.2.1
NVDays-pro/poll_maker< 3.2.1

🔴Vulnerability Details

2
GHSA
GHSA-2fgg-h7jw-4j9r: The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 32022-05-24
CVEList
Poll Maker < 3.2.1 - Authenticated Blind SQL Injections2021-08-02
CVE-2021-24483 — SQL Injection in AYS PRO Poll Maker | cvebase