Vulnerability Description
Vinoj Cardoza WordPress Poll Plugin v36 and lower executes SQL statement passed in via the pollid POST parameter due to a lack of user input escaping. This allows users who craft specific SQL statements to dump the entire targets database.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress Poll Project | Wordpress Poll | <= 36.0 |
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/cardoza-wordpress-poll/Release NotesThird Party Advisory
- https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ExploitThird Party AdvisoryURL Repurposed
- https://wordpress.org/plugins/cardoza-wordpress-poll/Release NotesThird Party Advisory
- https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ExploitThird Party AdvisoryURL Repurposed
FAQ
What is CVE-2020-24315?
CVE-2020-24315 is a vulnerability with a CVSS score of 7.5 (HIGH). Vinoj Cardoza WordPress Poll Plugin v36 and lower executes SQL statement passed in via the pollid POST parameter due to a lack of user input escaping. This allows users who craft specific SQL statemen...
How severe is CVE-2020-24315?
CVE-2020-24315 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-24315?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Poll Project Wordpress Poll.