Description
Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
Published: 2026-04-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to poll data and configuration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a missing authorization issue that enables exploitation of incorrectly configured access control security levels in TotalSuite’s Total Poll Lite plugin for WordPress. As a result, an attacker may read or modify poll data and settings that should be restricted to authorized users. This breach is classified as CWE‑862, indicating broken access control.

Affected Systems

The affected product is TotalSuite’s Total Poll Lite, impacting all releases from the initial version up to and including 4.12.0. WordPress sites that have this plugin installed and are running a version no newer than 4.12.0 are vulnerable.

Risk and Exploitability

The CVSS score of 6.3 denotes a moderate severity. The EPSS score is below 1%, indicating a low probability of exploitation at present. It is not listed in the CISA KEV catalog, suggesting no known high‑profile exploitation. Based on the description, it is inferred that the attacker could target the plugin’s administrative endpoints through the WordPress interface; however, the exact conditions required for exploitation are not detailed in the advisory.

Generated by OpenCVE AI on April 13, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Total Poll Lite plugin to a version newer than 4.12.0 or remove the plugin if no update is available
  • Verify that WordPress roles and capabilities restrict poll administration to trusted users
  • Monitor site logs for unusual activity related to poll administration and review poll data for unauthorized changes

Generated by OpenCVE AI on April 13, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Totalsuite
Totalsuite total Poll Lite
Wordpress
Wordpress wordpress
Vendors & Products Totalsuite
Totalsuite total Poll Lite
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
Title WordPress Total Poll Lite plugin <= 4.12.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Totalsuite Total Poll Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-13T18:45:32.734Z

Reserved: 2026-04-07T10:57:48.107Z

Link: CVE-2026-39651

cve-icon Vulnrichment

Updated: 2026-04-13T18:45:29.610Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:36.193

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:51Z

Weaknesses