CVE-2025-26971
Published: 25 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-26971 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the Ays Pro Poll Maker WordPress plugin, also referred to as poll-maker. This flaw affects Poll Maker versions from n/a through 5.6.5 and is classified under CWE-89.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating network accessibility, low attack complexity, requirement for high privileges, no user interaction, changed scope, high confidentiality impact, no integrity impact, and low availability impact. High-privilege users, such as authenticated administrators, can exploit it remotely to achieve data extraction from the underlying database through blind SQL injection techniques.
Patchstack advisories detail this SQL injection vulnerability in WordPress Poll Maker 5.6.5 and provide guidance on mitigation, available at https://patchstack.com/database/Wordpress/Plugin/poll-maker/vulnerability/wordpress-poll-maker-5-6-5-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing WordPress plugin enables remote exploitation for database data extraction by high-privilege users.