PT-2020-12762 · Totalsoft · Responsive Poll

Pak0S

Published

2020-04-13

Updated

2021-07-21

CVE-2020-11673

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Responsive Poll versions 1.3.4 and earlier

Description An issue allows an unauthenticated user to manipulate polls, including deletion, cloning, or viewing hidden polls. This is due to the usage of the wp ajax nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations.

Recommendations For Responsive Poll versions 1.3.4 and earlier, consider disabling the sensitive operations within the wp ajax nopriv function in Includes/Total-Soft-Poll-Ajax.php until a patch is available. Restrict access to the Includes/Total-Soft-Poll-Ajax.php file to minimize the risk of exploitation.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2020-11673

Affected Products

Responsive Poll

PT-2020-12762 · Totalsoft · Responsive Poll

CVE-2020-11673

Weakness Enumeration

Related Identifiers

Affected Products

References · 4