Description
Server-Side Request Forgery (SSRF) vulnerability in totalsoft TS Poll poll-wp allows Server Side Request Forgery.This issue affects TS Poll: from n/a through <= 2.5.5.
Published: 2026-02-19
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Assess Impact
AI Analysis

Impact

A Server-Side Request Forgery (SSRF) flaw exists in the TS Poll plugin for WordPress, enabling an attacker to force the application to make arbitrary HTTP requests to internal or external resources. If exploited, the plugin could fetch sensitive information, communicate with internal services, or facilitate further attacks such as remote code execution. The weakness stems from improper validation of user-supplied URLs, classified as CWE-918.

Affected Systems

The vulnerability impacts the totalsoft TS Poll plugin for WordPress, affecting all releases up to and including version 2.5.5. Users running these versions on any WordPress installation are at risk.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The flaw is not currently listed in CISA's KEV catalog. The attack vector is inferred to be via an exposed endpoint in the plugin that accepts URLs without proper sanitization, likely requiring authenticated or unauthenticated access to a poll-related activity. No patch is published in the data, so the risk remains until a version that removes the flaw or restricts outbound requests is deployed.

Generated by OpenCVE AI on April 16, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TS Poll plugin to the latest version that includes the SSRF fix.
  • Configure network policies or firewall rules to block arbitrary outbound connections initiated by the WordPress environment.
  • Implement URL validation or a strict whitelist in the plugin’s request handling to prevent the use of unintended endpoints.

Generated by OpenCVE AI on April 16, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Total-soft
Total-soft ts Poll
Wordpress
Wordpress wordpress
Vendors & Products Total-soft
Total-soft ts Poll
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in totalsoft TS Poll poll-wp allows Server Side Request Forgery.This issue affects TS Poll: from n/a through <= 2.5.5.
Title WordPress TS Poll plugin <= 2.5.5 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Total-soft Ts Poll
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:58.024Z

Reserved: 2026-02-02T12:53:34.262Z

Link: CVE-2026-25428

cve-icon Vulnrichment

Updated: 2026-02-19T17:02:16.732Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:24.163

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:15:18Z

Weaknesses