The vulnerability in the Ays Pro Poll Maker plugin is a missing authorization flaw that permits attackers to perform actions beyond their intended privileges. An attacker who can access the plugin’s management interface can manipulate polls—creating, editing, or deleting them—without proper verification of user roles. This flaw maps to CWE‑862 (Broken Access Control) and undermines the integrity and confidentiality of poll data. The CVSS score of 6.5 indicates a moderate severity that could lead to significant adverse effects if exploited by a malicious actor.

The issue affects the Ays Pro Poll Maker WordPress plugin in all releases through version 5.5.0. Any WordPress site that has installed the plugin up to and including this version is vulnerable, regardless of its configuration settings.

The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, suggesting that exploit activity is currently rare. However, the attack vector is most likely the web application interface, which is accessible to any user with appropriate access rights to the WordPress dashboard. An attacker does not require administrative privileges to exploit the flaw; with sufficient access to the plugin settings, they can bypass authorization checks and carry out unauthorized modifications. Given the moderate CVSS score and low EPSS, the risk is moderate, but the potential impact warrants prompt action.