Description
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the ‘filterbyauthor’ parameter in all versions up to, and including, 6.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-11-13
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection allowing extraction of sensitive database information
Action: Patch Immediately
AI Analysis

Impact

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress contains a generic SQL Injection vulnerability in the 'filterbyauthor' parameter. Unsanitized input is inserted directly into a query, permitting attackers who possess Administrator‑level credentials to inject additional SQL commands. The result is the ability to retrieve sensitive data from the database, potentially exposing site content, user information, or payment details. The flaw requires a user to be authenticated at an administrative level and does not allow unauthenticated exploitation.

Affected Systems

The vulnerability affects the ays‑pro Poll Maker plugin, versions up to and including 6.0.7, which is installed on WordPress sites. Site administrators using any of these affected versions may be targeted by privileged attackers. No other WordPress plugins or core components are listed as affected.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate impact, while the EPSS score of below 1% reflects a very low probability that the vulnerability will be exploited in the wild at this time. The flaw is not listed in the CISA KEV catalog, suggesting it is not currently being actively leveraged by organizations. Likely attack scenarios involve an attacker who already has administrator access or has compromised an administrative account through phishing or credential reuse. Once in possession of such access, the attacker can craft HTTP requests containing malicious 'filterbyauthor' values to inject SQL statements and read data from the database.

Generated by OpenCVE AI on April 22, 2026 at 00:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin version that excludes the vulnerability (search for updates to Poll Maker > 6.0.7).
  • If an update is unavailable, immediately remove or deactivate the plugin to eliminate the attack surface.
  • Implement strict input validation or use parameterized queries for the 'filterbyauthor' parameter to protect against SQL injection (CWE‑89).
  • Restrict administrative access by enforcing multi‑factor authentication and limiting the number of privileged accounts.

Generated by OpenCVE AI on April 22, 2026 at 00:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro poll Maker
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro poll Maker
Wordpress
Wordpress wordpress

Thu, 13 Nov 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the ‘filterbyauthor’ parameter in all versions up to, and including, 6.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 6.0.7 - Authenticated (Administrator+) SQL Injection via `filterbyauthor` Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ays-pro Poll Maker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:14.819Z

Reserved: 2025-11-02T16:28:40.451Z

Link: CVE-2025-12620

cve-icon Vulnrichment

Updated: 2025-11-14T16:49:40.689Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T06:16:00.343

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses