CVE-2022-1581 WP-Polls pluginprioritized getting visitor IP over PHP's REMOTE_ADDR, which made it possible to bypass IP-based limitations to vote in certain situations.

This means, for example, that a malicious actor could hack an online poll and change the vote for a certain country, or for a certain candidate. In the latter case, no one would be able to vote, but the attacker would still be able to see the results.

A remote attacker could also exploit this vulnerability to inject code in an online poll. For instance, if the attacker had access to the server hosting an online poll, he could change the vote of the poll to favor his website, regardless of what visitors to the poll would have voted.

Another possible scenario is that of a website that allows visitors to vote. For example, a political campaign that is looking for support from the public. If a remote attacker had access to the server where the website was hosted, he could change the vote of the poll to favor his website.
In addition, because this issue is not limited to a certain type of WordPress installation, the WP-Polls WordPress plugin before 2.76.0 may be vulnerable to cross-site request forgery attacks.
In all of these scenarios, the WP-Polls WordPress plugin before 2.76.0 is not protecting visitors from malicious actors.

Summary

A Remote Code Execution vulnerability has been discovered in the WP-Polls WordPress plugin before 2.76.0 which may allow for a remote attacker to take control of the website and perform actions that are not authorized by the user. This is possible because the WP-Polls WordPress plugin does not validate requests from unknown sources.
This vulnerability can be fatal for your site because a malicious actor may be able to use it to execute an arbitrary script on your server, even with administrative privileges.

What is WP-Polls?

WP-Polls is a WordPress plugin that allows visitors to create polls.

It is not possible to determine the number of instances in which the WP-Polls plugin before 2.76.0 granted attackers access to polls hosted on WordPress websites, but there have been reports indicating that this vulnerability has been exploited by malicious actors.

It is worth mentioning that it is not possible to determine if any single WordPress website was compromised due to this vulnerability, as each site may implement unique methods for protecting against cross-site request forgery (CSRF) attacks.

WP-Polls 3.0 and newer: no more cross-site request forgery vulnerability

If you are using the WP-Polls plugin before 2.76.0, we recommend updating to version 3.0 and newer as soon as possible to eliminate the vulnerability from your site.
Configure your website's settings to display the "not secure" error message for non-secure HTTP requests (such as those made with HTTPS) when using this plugin.
In addition, if you are using WordPress version 2.9 or newer, WP-Polls will automatically set the default response header on all pages that use this plugin to "X-Frame-Options: DENY".

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:51:00 UTC

References

• https://www.hightechdad.com/2009/12/21/warning-wp-polls-wordpress-poll-plugin-can-be-exploited/
• https://wpscan.com/vulnerability/c1896ab9-9585-40e2-abbf-ef5153b3c6b2
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1581