SQL Injection Vulnerability in Pollin Plugin for WordPress
CVE-2024-13712

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Pollin
Vendor: CVE Published:; 19 February 2025

Summary

The Pollin plugin for WordPress contains a vulnerability that allows SQL Injection through the 'question' parameter. This issue arises from inadequate input escaping and improper query preparation, enabling unauthenticated attackers to inject malicious SQL statements. Such injections can lead to unauthorized access and the potential exposure of sensitive information stored in the database. Users of versions up to and including 1.01.1 should take immediate action to secure their installations.

Affected Version(s)

Pollin * <= 1.01.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/pollin/

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 19, 2025
Vulnerability Reserved
Jan 24, 2025

Credit

Colin Xu