CVE-2024-6496 – The Light Poll WordPress plugin through version... (How to Fix)

Q: What is the severity of CVE-2024-6496?

CVE-2024-6496 has a CVSS score of 6.5 (MEDIUM). The Light Poll WordPress plugin through version 1.0.0 lacks Cross-Site Request Forgery (CSRF) protection when deleting polls. This allows attackers to trick authenticated administrators into unintentionally deleting polls via malicious links or scripts. WordPress sites using this vulnerable plugin are affected.

📋 TL;DR

The Light Poll WordPress plugin through version 1.0.0 lacks Cross-Site Request Forgery (CSRF) protection when deleting polls. This allows attackers to trick authenticated administrators into unintentionally deleting polls via malicious links or scripts. WordPress sites using this vulnerable plugin are affected.

💻 Affected Systems

Products:

Light Poll WordPress Plugin

Versions: through 1.0.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Light Poll plugin enabled and an authenticated admin user.

📦 What is this software?

Light Poll by Dmytropopov

View all CVEs affecting Light Poll →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could systematically delete all polls on a WordPress site, causing data loss and disrupting user engagement features.

🟠

Likely Case

Attackers would delete polls to vandalize sites or disrupt poll-based functionality, requiring administrators to restore from backups.

🟢

If Mitigated

With proper CSRF protections implemented, no unauthorized poll deletions would occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking an authenticated admin into clicking a malicious link or visiting a compromised page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1 or later

Vendor Advisory: https://wpscan.com/vulnerability/d598eabd-a87a-4e3e-be46-a5c5cc3f130e/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Light Poll plugin. 4. Click 'Update Now' if update available. 5. If no update, deactivate and delete plugin, then install latest version from WordPress repository.

🔧 Temporary Workarounds

Deactivate Plugin

all

Temporarily disable the Light Poll plugin to prevent exploitation.

wp plugin deactivate light-poll

🧯 If You Can't Patch

Restrict admin access to trusted networks only.
Implement web application firewall rules to block CSRF attempts.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Light Poll version 1.0.0 or earlier.

Check Version:

wp plugin get light-poll --field=version

Verify Fix Applied:

Verify Light Poll plugin is updated to version 1.0.1 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unexpected poll deletion events in WordPress logs.
Multiple DELETE requests to poll endpoints from unusual sources.

Network Indicators:

HTTP POST requests to poll deletion endpoints without proper referrer headers.

SIEM Query:

source="wordpress.log" AND "poll" AND "deleted" AND NOT user="admin"

📊 Metadata

CVE ID: CVE-2024-6496

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE: CWE-352

Published: August 1, 2024

Last Updated: June 9, 2025

🔗 References

https://wpscan.com/vulnerability/d598eabd-a87a-4e3e-be46-a5c5cc3f130e/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6496, you might also want to check these: