CVE-2021-24651
📋 TL;DR
The Poll Maker WordPress plugin before version 3.4.2 contains an unauthenticated SQL injection vulnerability via the ays_finish_poll AJAX action. Attackers can use timing attacks to exfiltrate sensitive data like password hashes from the database. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Poll Maker WordPress Plugin
📦 What is this software?
Poll Maker by Ays Pro
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, data exfiltration, and potential site takeover via password hash cracking.
Likely Case
Extraction of sensitive user data including password hashes, email addresses, and other personally identifiable information from the database.
If Mitigated
Limited data exposure if database permissions are properly restricted and password hashes are properly salted.
🎯 Exploit Status
Exploitation requires timing attacks for data exfiltration since results are not directly returned in responses. SQL injection is straightforward but data extraction requires additional techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.2
Vendor Advisory: https://wpscan.com/vulnerability/24f933b0-ad57-4ed3-817d-d637256e2fb1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Poll Maker plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.4.2+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Poll Maker Plugin
linuxTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate poll-maker
Restrict AJAX Access
allBlock access to the vulnerable AJAX endpoint via web server configuration
# Add to .htaccess for Apache:
RewriteRule ^wp-admin/admin-ajax\.php\?action=ays_finish_poll - [F,L]
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block SQL injection patterns
- Restrict database user permissions to minimize potential data exposure
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Poll Maker version. If version is below 3.4.2, system is vulnerable.Check Version:
wp plugin get poll-maker --field=versionVerify Fix Applied:
Confirm Poll Maker plugin version is 3.4.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=ays_finish_poll parameter containing SQL syntax
- Unusual timing patterns in request/response cycles
Network Indicators:
- SQL injection payloads in HTTP POST parameters
- Repeated requests with incremental timing delays
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND (param_action="ays_finish_poll" AND (param_data CONTAINS "SLEEP" OR param_data CONTAINS "BENCHMARK" OR param_data CONTAINS "WAITFOR"))