CVE-2024-13426 in WP-Polls Plugin
Summary
by MITRE • 01/22/2025
The WP-Polls plugin for WordPress is vulnerable to SQL Injection via COOKIE in all versions up to, and including, 2.77.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries. Those queries are stored and results are not displayed to the attacker, which means they cannot be exploited to obtain any additional information about the database. However, a properly configured payload allows for the injection of malicious JavaScript resulting in Stored Cross-Site Scripting.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/09/2025
The WP-Polls plugin for WordPress represents a widely used polling solution that enables website administrators to create interactive surveys and gather user feedback. This vulnerability affects all versions up to and including 2.77.2, creating a significant security risk for WordPress installations that rely on this plugin for user engagement. The vulnerability stems from inadequate input sanitization within the plugin's handling of cookie data, specifically when processing user-supplied parameters that are directly incorporated into database queries without proper escaping mechanisms.
The technical flaw manifests through insufficient escaping of cookie data that is passed to SQL queries within the plugin's codebase. When users interact with polls, cookie values containing user input are processed and integrated into existing SQL statements without proper parameterization or sanitization. This creates a classic SQL injection vulnerability where an attacker can manipulate the query structure by injecting malicious SQL syntax through cookie values. The vulnerability is particularly concerning because it affects unauthenticated attackers who can exploit this weakness without requiring valid credentials or administrative access to the WordPress installation.
The operational impact of this vulnerability extends beyond traditional database exploitation due to the specific nature of the injection payload. While the primary SQL injection does not directly allow attackers to extract database information or perform unauthorized data access, it enables the injection of malicious JavaScript code through stored cross-site scripting vectors. This stored XSS vulnerability allows attackers to execute arbitrary scripts within the context of other users' browsers who interact with the affected WordPress site. The malicious JavaScript can potentially steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
The vulnerability aligns with CWE-89, which identifies SQL injection as a critical weakness in software applications. It also maps to ATT&CK technique T1213.002, which covers data from information repositories, as attackers can potentially compromise user sessions through the stored XSS vector. The attack surface is particularly broad since the vulnerability affects all versions up to 2.77.2, meaning that a large number of WordPress installations could be exposed to this risk. The fact that attackers do not need authentication credentials to exploit this vulnerability makes it especially dangerous for publicly accessible WordPress sites that rely on the WP-Polls plugin for user interaction.
Organizations should immediately update their WP-Polls plugin to the latest available version to mitigate this vulnerability. The recommended mitigation strategy involves implementing proper input validation and parameterized queries to prevent any user-supplied data from being directly incorporated into SQL statements. Additionally, administrators should consider implementing web application firewalls that can detect and block suspicious cookie values that may contain SQL injection patterns. Regular security audits and monitoring of cookie data processing within plugins should be conducted to identify similar vulnerabilities in other third-party components. The incident highlights the importance of maintaining up-to-date security practices and the critical need for proper input sanitization in all database interactions, particularly in widely used plugins that may be targeted by attackers due to their prevalence across WordPress installations.