WordPress Plugin Vulnerabilities

Cardoza WordPress Poll <= 36 - Authenticated SQL Injection

Description

The Cardoza WordPress Poll plugin was vulnerable to authenticated SQL Injection in the "pollid" POST parameter when submitting a poll deletion request.

Proof of Concept

Affects Plugins

Plugin icon
cardoza-wordpress-poll
No known fix

References

CVE
CVE-2020-24315

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.1 (high)

Miscellaneous

Original Researcher
zerodetail & ratherbland
Verified
No
WPVDB ID
eb3fb341-f072-426f-9333-6d83274db28a

Timeline

Publicly Published
2020-08-10 (about 5 years ago)
Added
2020-08-26 (about 5 years ago)
Last Updated
2022-01-17 (about 4 years ago)

Other

Published
Title
Published
2026-04-06
Title
Media Library Assistant < 3.35 - Authenticated (Contributor+) SQL Injection
Published
2022-05-11
Title
WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
Published
2014-11-25
Title
Google Document Embedder <= 2.5.14 - SQL Injection
Published
2024-10-18
Title
Social Link Groups <= 1.1.0 - Authenticated (Contributor+) SQL Injection
Published
2023-12-04
Title
Advanced Database Cleaner < 3.1.3 - Authenticated (Administrator+) SQL Injection