SQL Injection Vulnerability in TS Poll Plugin for WordPress
CVE-2024-9022

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Ts Poll – Survey, Versus Poll, Image Poll, Video Poll
Vendor: CVE Published:; 10 October 2024

Summary

The TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress is susceptible to SQL Injection due to inadequate escaping of the 'orderby' parameter in all versions up to and including 2.3.9. This vulnerability allows authenticated attackers at the Administrator level and above to inject additional SQL queries into existing ones, thereby enabling them to access and manipulate sensitive information stored in the database. Proper validation and preparation of SQL queries are essential to prevent such security breaches.

Affected Version(s)

TS Poll – Survey, Versus Poll, Image Poll, Video Poll * <= 2.3.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://packetstormsecurity.com/files/179414/WordPress-Po...

https://github.com/capture0x/Poll-Plugin-SQL-Injection-

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2024
Vulnerability Reserved
Sep 19, 2024