CVE-2023-45766 – This CVE describes a missing authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Poll Maker WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. It affects all versions up to 4.7.1, potentially enabling unauthorized users to perform actions reserved for administrators or other privileged roles.

💻 Affected Systems

Products:

Poll Maker WordPress Plugin

Versions: All versions up to and including 4.7.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations using the vulnerable Poll Maker plugin versions.

📦 What is this software?

Poll Maker by Ays Pro

View all CVEs affecting Poll Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete polls, manipulate voting results, access sensitive poll data, or potentially escalate privileges within the WordPress installation.

🟠

Likely Case

Unauthorized users could view or modify poll configurations, potentially altering voting outcomes or accessing poll results they shouldn't see.

🟢

If Mitigated

With proper access controls and authentication checks, only authorized users can perform administrative poll functions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WordPress site but bypasses authorization checks for poll management functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.2 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/poll-maker/vulnerability/wordpress-poll-maker-plugin-4-7-1-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Poll Maker plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 4.7.2+ from WordPress repository and manually update

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Poll Maker plugin until patched

wp plugin deactivate poll-maker

Access Restriction via .htaccess

linux

Restrict access to poll-related endpoints

# Add to .htaccess in WordPress root:
<FilesMatch "poll-maker">
Order Deny,Allow
Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement strict role-based access controls at the WordPress level
Monitor and audit all poll-related activities and access attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Poll Maker version number

Check Version:

wp plugin get poll-maker --field=version

Verify Fix Applied:

Verify Poll Maker plugin version is 4.7.2 or higher

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to poll administration endpoints
Unexpected poll modifications by non-admin users

Network Indicators:

HTTP requests to /wp-admin/admin-ajax.php with poll-maker actions from unauthorized IPs

SIEM Query:

source="wordpress.log" AND ("poll-maker" OR "poll_maker") AND ("admin" OR "ajax") AND NOT user_role="administrator"

📊 Metadata

CVE ID: CVE-2023-45766

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.17% exploit probability (38.6th percentile)

Published: January 2, 2025

Last Updated: May 28, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/poll-maker/vulnerability/wordpress-poll-maker-plugin-4-7-1-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45766, you might also want to check these: