SQL Injection Vulnerability in WordPress Survey & Poll Plugin
CVE-2024-13596
6.5MEDIUM
Key Information:
- Vendor
- Pantherius
- Status
- WordPress Survey & Poll – Quiz, Survey And Poll Plugin For WordPress
- Vendor
- CVE Published:
- 30 January 2025
Summary
The Survey & Poll – Quiz, Survey and Poll Plugin for WordPress is susceptible to SQL Injection through the 'id' attribute of the 'survey' shortcode due to inadequate escaping of user-supplied input. This vulnerability allows authenticated attackers with Contributor-level access or higher to manipulate existing SQL queries, potentially leading to data extraction and exposing sensitive database information. It affects all versions of the plugin up to and inclusive of 1.7.5, making it essential for users to update to mitigate risks.
Affected Version(s)
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress * <= 1.7.5
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Peter Thaleikis