CVE-2024-3600
📋 TL;DR
This vulnerability in the Poll Maker WordPress plugin allows unauthenticated attackers to create malicious quizzes with stored cross-site scripting (XSS) payloads. When users visit these compromised quiz pages, the malicious scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Poll Maker plugin versions up to 5.1.8 are affected.
💻 Affected Systems
- Poll Maker – Best WordPress Poll Plugin
📦 What is this software?
Poll Maker by Ays Pro
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, redirect users to malicious sites, or deploy malware to visitors' browsers.
Likely Case
Attackers inject malicious JavaScript to steal user credentials, session tokens, or perform actions on behalf of authenticated users.
If Mitigated
With proper web application firewalls and content security policies, malicious scripts would be blocked or sanitized before execution.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to vulnerable endpoints. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Poll Maker plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.1.9+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Poll Maker Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate poll-maker
Web Application Firewall Rule
allBlock malicious AJAX requests to vulnerable endpoint
Block POST requests to */wp-admin/admin-ajax.php with action=ays_poll_maker_quick_start
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Poll Maker version number. If version ≤ 5.1.8, vulnerable.Check Version:
wp plugin get poll-maker --field=versionVerify Fix Applied:
Verify Poll Maker plugin version is 5.1.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=ays_poll_maker_quick_start
- Multiple quiz/poll creation events from single IP
Network Indicators:
- AJAX requests containing JavaScript payloads in parameters
- Unusual traffic to poll/quiz creation endpoints
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data LIKE "%ays_poll_maker_quick_start%")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fec015e1-7f64-4917-a242-90bd1135f680?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fec015e1-7f64-4917-a242-90bd1135f680?source=cve
