CVE-2024-13426
📋 TL;DR
The WP-Polls WordPress plugin up to version 2.77.2 contains an SQL injection vulnerability via cookie manipulation. Unauthenticated attackers can inject malicious SQL queries, which can be leveraged to store malicious JavaScript payloads leading to stored cross-site scripting (XSS). All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WP-Polls WordPress Plugin
📦 What is this software?
Wp Polls by Wp Polls Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject persistent malicious JavaScript that executes in visitors' browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of authenticated users.
Likely Case
Attackers inject malicious JavaScript payloads via SQL injection, creating stored XSS attacks that affect all visitors to the vulnerable site.
If Mitigated
With proper web application firewalls and input validation, injection attempts are blocked, limiting impact to failed attack attempts.
🎯 Exploit Status
Exploitation requires cookie manipulation but doesn't require authentication; SQL injection results are not returned but can be used for XSS payload storage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.77.3 or later
Vendor Advisory: https://github.com/lesterchan/wp-polls
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP-Polls plugin
4. Click 'Update Now' if update available
5. If no update available, manually download version 2.77.3+ from WordPress repository
🔧 Temporary Workarounds
Disable WP-Polls Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-polls
Web Application Firewall Rule
allBlock SQL injection attempts targeting cookie parameters
ModSecurity rule: SecRule ARGS_COOKIES "@detectSQLi" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Disable WP-Polls plugin immediately
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP-Polls version ≤2.77.2Check Version:
wp plugin get wp-polls --field=versionVerify Fix Applied:
Verify WP-Polls version is ≥2.77.3 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Cookie parameters containing SQL keywords (UNION, SELECT, etc.)
- Multiple failed SQL queries from same IP
Network Indicators:
- HTTP requests with manipulated cookie values containing SQL syntax
- Unusual cookie lengths or special characters in cookie parameters
SIEM Query:
source="web_server" AND (cookie="*UNION*" OR cookie="*SELECT*" OR cookie="*INSERT*") AND uri="*/wp-content/plugins/wp-polls/*"🔗 References
- https://github.com/WordPress/wordpress-develop/blob/a82874058f58575dbba64ce09b6dcbd43ccf5fdc/src/wp-includes/default-constants.php#L249
- https://github.com/lesterchan/wp-polls
- https://github.com/lesterchan/wp-polls/blob/97ab44c2d4c3a3d308ce8b87dae8b2a8f7147f0e/polls-logs.php#L294
- https://github.com/lesterchan/wp-polls/blob/97ab44c2d4c3a3d308ce8b87dae8b2a8f7147f0e/polls-logs.php#L97
- https://github.com/lesterchan/wp-polls/blob/97ab44c2d4c3a3d308ce8b87dae8b2a8f7147f0e/wp-polls.php#L1378
- https://github.com/lesterchan/wp-polls/blob/97ab44c2d4c3a3d308ce8b87dae8b2a8f7147f0e/wp-polls.php#L1416
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3224709%40wp-polls%2Ftrunk&old=2949758%40wp-polls%2Ftrunk&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/wp-polls/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b76de574-2627-46cd-9817-134a009ac3bd?source=cve
