Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Poll Maker poll-maker allows Blind SQL Injection.This issue affects Poll Maker: from n/a through <= 5.6.5.
Published: 2025-02-25
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper neutralization of special elements in SQL commands within the Ays Pro Poll Maker WordPress plugin, allowing an attacker to inject arbitrary SQL statements. The result can be unauthorized reading of database contents, modification of stored data, or other destructive actions that compromise both confidentiality and integrity of the site’s information. The assigned CVSS score of 7.6 reflects the potential impact when combined with the presence of a web‑accessible form.

Affected Systems

WordPress installations that have the Poll Maker plugin version 5.6.5 or earlier are affected. This includes any site that has not upgraded beyond 5.6.5 and continues to use the poll creation or response interfaces provided by the plugin.

Risk and Exploitability

The EPSS score of less than 1% suggests that large‑scale exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is straightforward: by submitting specially crafted input through the poll form or related endpoints, a remote actor can trigger blind SQL injection. Once the injection succeeds, the attacker can extract, modify, or delete data without needing user credentials beyond access to the poll interface.

Generated by OpenCVE AI on May 1, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Poll Maker plugin to the latest released version (5.6.6 or newer) to eliminate the SQL injection flaw.
  • Deploy or configure a web application firewall (WAF) to block common SQL injection payloads that target poll input fields.
  • Restrict or disable poll creation and submission endpoints for unauthenticated users until the plugin patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5381 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ays-pro Poll Maker allows Blind SQL Injection. This issue affects Poll Maker: from n/a through 5.6.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ays-pro Poll Maker allows Blind SQL Injection. This issue affects Poll Maker: from n/a through 5.6.5. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Poll Maker poll-maker allows Blind SQL Injection.This issue affects Poll Maker: from n/a through <= 5.6.5.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 21 May 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro poll Maker
CPEs cpe:2.3:a:ays-pro:poll_maker:*:*:*:*:free:wordpress:*:*
Vendors & Products Ays-pro
Ays-pro poll Maker

Tue, 25 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ays-pro Poll Maker allows Blind SQL Injection. This issue affects Poll Maker: from n/a through 5.6.5.
Title WordPress Poll Maker <= 5.6.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Ays-pro Poll Maker
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:45.775Z

Reserved: 2025-02-17T11:51:40.974Z

Link: CVE-2025-26971

cve-icon Vulnrichment

Updated: 2025-02-25T14:53:17.111Z

cve-icon NVD

Status : Modified

Published: 2025-02-25T15:15:30.017

Modified: 2026-04-23T15:26:09.760

Link: CVE-2025-26971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:15:20Z

Weaknesses