CVE-2021-24651

Name of the Vulnerable Software and Affected Versions The Poll Maker WordPress plugin versions prior to 3.4.2

Description The issue allows unauthenticated users to perform SQL injection via the ays finish poll AJAX action. Although the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate sensitive data, such as password hashes.

Recommendations For versions prior to 3.4.2, update to version 3.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the ays finish poll AJAX action to prevent potential exploitation.