CVE-2021-24651

CWE-89SQL InjectionCWE-2033 documents3 sources
Severity
7.5HIGH
EPSS
1.4%
top 19.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Poll MakerAys-pro Poll Maker
Timeline
PublishedOct 11
Latest updateMay 24

Description

The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5unknown/poll_maker3.4.23.4.2
NVDays-pro/poll_maker< 3.4.2

🔴Vulnerability Details

2
GHSA
GHSA-64xf-q24f-59cv: The Poll Maker WordPress plugin before 32022-05-24
CVEList
Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection2021-10-11
CVE-2021-24651 (HIGH CVSS 7.5) | The Poll Maker WordPress plugin bef | cvebase.io