TS Poll – Survey, Versus Poll, Image Poll, Video Poll < 2.4.0 – Admin+ SQL Injection | CVE 2024-8625

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Proof of Concept

1. Add a poll
2. Access the URL `https://example.com/wp-admin/admin.php?page=ts-poll&orderby=%28SELECT+6127+FROM+%28SELECT%28SLEEP%285%29%29%29mIWx%29&order=desc`
3. See the slow response due to the `SLEEP` command

Affects Plugins

poll-wp

Fixed in 2.4.0

References

CVE

CVE-2024-8625

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

4.1 (medium)

Miscellaneous

Original Researcher

Chu Quoc Khanh

Submitter

Chu Quoc Khanh

Verified

Yes

WPVDB ID

ab4d7065-4ea2-4233-9593-0f540f91f45e

Timeline

Publicly Published

2024-09-30 (about 1 year ago)

Added

2024-09-30 (about 1 year ago)

Last Updated

2024-09-30 (about 1 year ago)

Other

Published

Title

Published

2014-08-01

Title

Automatic 2.0.3 - csv.php q Parameter SQL Injection

Published

2025-07-15

Title

Mediabay - WordPress Media Library Folders <= 1.4 - Authenticated (Subscriber+) SQL Injection

Published

2014-09-27

Title

Quartz Plugin 1.01.1 - SQL Injection

Published

2024-04-12

Title

User Activity Log Pro <= 2.3.4 - Authenticated (Subscriber+) SQL Injection

Published

2023-10-12

Title

Nexter < 2.0.4 - Authenticated (Subscriber+) SQL Injection via 'to' and 'from'