Poll Maker – Best WordPress Poll Plugin <= 5.1.8 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Wordfence Intelligence   >   Vulnerability Database   >   Poll Maker – Best WordPress Poll Plugin <= 5.1.8 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting
7.2
Missing Authorization
CVE CVE-2024-3600
CVSS 7.2 (High)
Publicly Published April 18, 2024
Last Updated April 19, 2024
Researcher Krzysztof Zając - CERT PL

Description

The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page.

References

Share

Vulnerability Details for Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls

Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls

Software Type Plugin
Software Slug poll-maker (view on wordpress.org)
Patched? Yes
Remediation Update to version 5.1.9, or a newer patched version
Affected Version
  • <= 5.1.8
Patched Version
  • 5.1.9

Recent vulnerabilities in Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls

Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action
4.3
CVE-2026-8995
May 28, 2026
Researcher: Satoo Nakano
Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 6.0.7 - Authenticated (Administrator+) SQL Injection via `filterbyauthor` Parameter
4.9
CVE-2025-12620
Nov 12, 2025
Researcher: type5afe
Poll Maker <= 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-57954
Sep 22, 2025
Researcher: Abu Hurayra (HurayraIIT)
Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.8.9 - Unauthenticated Basic Information Exposure
5.3
CVE-2024-12575
Aug 15, 2025
Researcher: xiaoAGiao
Poll Maker <= 5.7.7 - Unauthenticated Race Condition to Multi-Vote
5.3
CVE-2025-47545
May 7, 2025
Researcher: Ibrahim Mohammad
Poll Maker <= 5.6.5 - Authenticated (Administrator+) SQL Injection
4.9
CVE-2025-26971
Feb 23, 2025
Researcher: Webula
Poll Maker <= 5.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
4.4
CVE-2024-13602
Feb 23, 2025
Researcher: Krugov Artyom
Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.5.4 - Unauthenticated HTML Injection
5.3
CVE-2024-56277
Jan 3, 2025
Researcher: Muhammad Zidan Ali Mansur
Poll Maker <= 5.5.6 - Missing Authorization
6.5
CVE-2024-56295
Jan 3, 2025
Researcher: Nosa "apapedulimu" Shandy
Poll Maker <= 5.5.0 - Missing Authorization
6.5
CVE-2025-24577
Dec 15, 2024
Researcher: Trương Hữu Phúc (truonghuuphuc)
# Title CVE ID CVSS Researchers Date
1 Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action CVE-2026-8995 4.3 Satoo Nakano May 28, 2026
2 Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 6.0.7 - Authenticated (Administrator+) SQL Injection via `filterbyauthor` Parameter CVE-2025-12620 4.9 type5afe November 12, 2025
3 Poll Maker <= 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-57954 6.4 Abu Hurayra (HurayraIIT) September 22, 2025
4 Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.8.9 - Unauthenticated Basic Information Exposure CVE-2024-12575 5.3 xiaoAGiao August 15, 2025
5 Poll Maker <= 5.7.7 - Unauthenticated Race Condition to Multi-Vote CVE-2025-47545 5.3 Ibrahim Mohammad May 7, 2025
6 Poll Maker <= 5.6.5 - Authenticated (Administrator+) SQL Injection CVE-2025-26971 4.9 Webula February 23, 2025
7 Poll Maker <= 5.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2024-13602 4.4 Krugov Artyom February 23, 2025
8 Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.5.4 - Unauthenticated HTML Injection CVE-2024-56277 5.3 Muhammad Zidan Ali Mansur January 3, 2025
9 Poll Maker <= 5.5.6 - Missing Authorization CVE-2024-56295 6.5 Nosa "apapedulimu" Shandy January 3, 2025
10 Poll Maker <= 5.5.0 - Missing Authorization CVE-2025-24577 6.5 Trương Hữu Phúc (truonghuuphuc) December 15, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation