Description
WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter. Attackers can craft SQL payloads in the cookie to extract sensitive database information including usernames, passwords, and other confidential data from the WordPress database.
Published: 2026-05-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Plugin Survey & Poll version 1.5.7.3 exposes an SQL injection flaw that allows an attacker to inject arbitrary SQL code through the wp_sap cookie. The vulnerability can be used by unauthenticated users to retrieve sensitive database content such as usernames, passwords, and other confidential data. The core weakness (CWE-89) indicates insufficient input sanitization of cookie data, enabling attackers to compromise the integrity and confidentiality of the WordPress database.

Affected Systems

WordPress sites that have installed the Modalsurvey Survey & Poll plugin up to and including version 1.5.7.3 are affected. Sites running newer releases are presumed not to be vulnerable; earlier or unreleased versions lack detailed information, so caution is advised if the plugin is used.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as High severity. Although the EPSS score is not available, the publicly documented exploitation references indicate that the vulnerability is feasible for remote attackers acting without prior authentication. The keystone "wp_sap" cookie can be manipulated freely, making the attack path straightforward for an attacker with internet access to the site. As the CVE is not listed in the CISA KEV catalog, no known widespread exploits are recorded as of the latest data.

Generated by OpenCVE AI on May 10, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update that removes the SQL injection flaw.
  • Deploy a web application firewall rule that sanitizes or blocks malicious content in the wp_sap cookie to prevent injection attempts.
  • Monitor database and application logs for abnormal SQL queries that may indicate an attack, and take remedial action if detected.

Generated by OpenCVE AI on May 10, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Modalsurvey
Modalsurvey survey & Poll
Wordpress
Wordpress wordpress
Vendors & Products Modalsurvey
Modalsurvey survey & Poll
Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter. Attackers can craft SQL payloads in the cookie to extract sensitive database information including usernames, passwords, and other confidential data from the WordPress database.
Title WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss_params
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Modalsurvey Survey & Poll
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T14:43:52.435Z

Reserved: 2026-02-01T11:24:18.718Z

Link: CVE-2021-47941

cve-icon Vulnrichment

Updated: 2026-05-11T14:43:48.817Z

cve-icon NVD

Status : Deferred

Published: 2026-05-10T13:16:30.493

Modified: 2026-05-12T14:24:15.210

Link: CVE-2021-47941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:28Z

Weaknesses