Description

WordPress Plugin Simply Poll is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Simply Poll version 1.4.1 is vulnerable; prior versions may also be affected.

Remediation

Edit the source code to ensure that input is properly sanitised or disable the plugin until a fix is available

References

https://www.tad.bg/en/exploits/our-exploits/simply-poll-1-4-1-plugin-for-wordpress-sql-injection

https://www.exploit-db.com/exploits/40971/

https://packetstormsecurity.com/files/140288/WordPress-Simply-Poll-1.4.1-SQL-Injection.html

Related Vulnerabilities

WordPress Plugin Gallery-Flagallery Photo Portfolio Cross-Site Request Forgery (5.3.6)

WordPress Plugin Product Addons & Fields for WooCommerce Same Origin Method Execution (SOME) (14.0)

WordPress Plugin WP Photo Album 'photo' Parameter SQL Injection (1.0)

WordPress Plugin WP Editor.md Cross-Site Scripting (1.6)

WordPress Plugin Youzify-BuddyPress Community, User Profile, Social Network & Membership for WordPress Cross-Site Scripting (1.2.1)

Severity

High

Classification

CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update SQL Injection