Description
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays_poll_get_user_information' AJAX action, which serializes and returns the complete WP_User object — including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities — without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks.
Published: 2026-05-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Poll Maker plug‑in’s ays_poll_get_user_information AJAX action lacks proper access controls, returning the full WP_User object, including password hashes and personal data, to any authenticated user with subscriber privileges. This results in a sensitive information exposure vulnerability (CWE‑200) that allows attackers to harvest password hashes and other personal details from their own or other subscriber accounts. The disclosed data can then be used for offline password‑cracking or reconnaissance.

Affected Systems

WordPress sites running the Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls plug‑in with a version of 6.3.7 or earlier are affected. Versions 6.3.8 and above have the vulnerability addressed and are not impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. No EPSS or KEV data is available, suggesting no widespread exploitation has been observed. Attackers must already be authenticated, but subscriber roles are common, so the attack surface is considerable. Although no public exploit exists, the exposed password hashes can be used for serious offline attacks, so the risk warrants priority remediation.

Generated by OpenCVE AI on May 29, 2026 at 04:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Poll Maker plug‑in to version 6.3.8 or later to remove the missing access controls.
  • If an update cannot be applied immediately, temporarily block the ays_poll_get_user_information AJAX endpoint for subscriber users or add a nonce and capability check in custom code.
  • Ensure that all user accounts use strong, salted passwords to reduce the effectiveness of any stolen password hashes.

Generated by OpenCVE AI on May 29, 2026 at 04:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro poll Maker By Ays – Versus Polls, Anonymous Polls, Image Polls
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro poll Maker By Ays – Versus Polls, Anonymous Polls, Image Polls
Wordpress
Wordpress wordpress

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays_poll_get_user_information' AJAX action, which serializes and returns the complete WP_User object — including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities — without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks.
Title Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ays-pro Poll Maker By Ays – Versus Polls, Anonymous Polls, Image Polls
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:07:40.915Z

Reserved: 2026-05-19T13:29:26.247Z

Link: CVE-2026-8995

cve-icon Vulnrichment

Updated: 2026-05-29T10:07:35.741Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T04:17:11.040

Modified: 2026-05-29T13:09:05.450

Link: CVE-2026-8995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:36Z

Weaknesses