CVE-2023-50904 – This CVE describes a missing authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Poll Maker WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. Attackers can perform unauthorized actions that should require proper authentication. This affects all WordPress sites running Poll Maker plugin versions up to and including 4.8.0.

💻 Affected Systems

Products:

Poll Maker WordPress Plugin

Versions: n/a through 4.8.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Poll Maker by Ays Pro

View all CVEs affecting Poll Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify polls, delete poll data, or potentially access administrative functions depending on the specific broken access control implementation.

🟠

Likely Case

Unauthorized users can manipulate poll content, view restricted poll results, or modify poll settings without proper permissions.

🟢

If Mitigated

With proper access controls and authentication checks, only authorized users can perform poll-related actions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization vulnerabilities typically require minimal technical skill to exploit once the vulnerable endpoint is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.1 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/poll-maker/vulnerability/wordpress-poll-maker-plugin-4-8-0-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Poll Maker plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 4.8.1+ from WordPress repository and manually update

🔧 Temporary Workarounds

Disable Poll Maker Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate poll-maker

Restrict Access via Web Application Firewall

all

Block access to poll-maker plugin endpoints for unauthorized users

🧯 If You Can't Patch

Implement strict network segmentation to isolate WordPress installation
Deploy web application firewall rules to monitor and block suspicious poll-related requests

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → Poll Maker version

Check Version:

wp plugin get poll-maker --field=version

Verify Fix Applied:

Verify Poll Maker plugin version is 4.8.1 or higher

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to poll-maker endpoints
Failed authentication attempts followed by successful poll modifications

Network Indicators:

Unusual traffic patterns to /wp-content/plugins/poll-maker/ endpoints from unauthenticated sources

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "poll-maker") AND user="-"

📊 Metadata

CVE ID: CVE-2023-50904

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-862

Published: December 9, 2024

Last Updated: May 28, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/poll-maker/vulnerability/wordpress-poll-maker-plugin-4-8-0-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50904, you might also want to check these: