Description
Improper Control of Generation of Code ('Code Injection') vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Remote Code Inclusion.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
Published: 2026-03-25
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an improper control of generation of code (code injection) that allows an attacker to include arbitrary PHP code in the WordPress Total Poll Lite plugin. The attack can lead to full remote code execution on affected WordPress sites, giving attackers control over the host.

Affected Systems

The vulnerability affects the TotalSuite Total Poll Lite plugin for WordPress. It is present in all releases from the earliest available up through version 4.12.0. Sites running this plugin without upgrading are vulnerable.

Risk and Exploitability

The CVSS score is 9.9, indicating a high‑severity risk. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. Documentation does not specify an authentication requirement, so it is inferred that a remote attacker with network access to the site could exploit the vulnerability by sending specially crafted data to the plugin’s remote code inclusion point, assuming default configuration. Due to the critical nature of code execution, rapid exploitation is plausible.

Generated by OpenCVE AI on March 25, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Total Poll Lite to a version newer than 4.12.0 or remove the plugin if it is not required.
  • If an upgrade is not immediately possible, disable the plugin and delete it from the WordPress installation to eliminate the attack surface.
  • Monitor server logs and file permissions for unexpected PHP file creation or execution attempts.
  • Patch or update WordPress core and any other plugins to eliminate ancillary vulnerabilities that could be combined with this issue.
  • Maintain a regular backup schedule to enable rapid restoration if compromise occurs.

Generated by OpenCVE AI on March 25, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Totalsuite
Totalsuite total Poll Lite
Wordpress
Wordpress wordpress
Vendors & Products Totalsuite
Totalsuite total Poll Lite
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Remote Code Inclusion.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
Title WordPress Total Poll Lite plugin <= 4.12.0 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References

Subscriptions

Totalsuite Total Poll Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T19:55:53.726Z

Reserved: 2026-02-17T13:23:18.876Z

Link: CVE-2026-27044

cve-icon Vulnrichment

Updated: 2026-03-25T19:55:50.320Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:53.587

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:38:08Z

Weaknesses