CVE-2024-9022

Name of the Vulnerable Software and Affected Versions: TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress versions up to, and including, 2.3.9

Description: The issue arises from insufficient escaping on the user-supplied orderby parameter and lack of sufficient preparation on the existing SQL query, making it possible for authenticated attackers with Administrator-level access and above to append additional SQL queries into already existing queries. This can be used to extract sensitive information from the database.

Recommendations: For versions up to, and including, 2.3.9, consider disabling the orderby parameter until a patch is available to prevent exploitation. Restrict access to the plugin's SQL queries to minimize the risk of sensitive information extraction. Update to a version higher than 2.3.9 when available, as it is expected to include fixes for the SQL Injection vulnerability.