CVE-2024-12115Cross-Site Request Forgery in Poll Maker

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 60.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ays-pro Poll Maker
Timeline
PublishedDec 7

Description

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.4. This is due to missing or incorrect nonce validation on the duplicate_poll() function. This makes it possible for unauthenticated attackers to duplicate polls via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

NVDays-pro/poll_maker< 5.5.5

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-2f8c-4h5p-8xr7: The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, an2024-12-07
CVEList
Poll Maker <= 5.5.4 - Cross-Site Request Forgery to Poll Duplication2024-12-07