What the vulnerability does
01Description
Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST parameter. Attackers can send requests to the admin-ajax.php endpoint with the 'spAjaxResults' action and malicious 'pollid' values to execute arbitrary SQL queries and read sensitive data from the WordPress database.
Explanation of Vulnerability in Simple Terms
02Summary
Simply Poll versions 1.4.1 and later contain a SQL injection vulnerability accessible over the network without authentication. An attacker can craft malicious input to execute arbitrary SQL queries against the site's database, potentially reading or modifying sensitive data. No user interaction is required to exploit this flaw.
What an attacker can do
03Attacker Capabilities
Execute SQL commands to read, modify, or delete database records without authentication.
Potential impact on your site
04Site Impact
Database contents (user data, posts, settings) can be read or altered by unauthenticated attackers.
Conditions required to exploit
05Prerequisites
Network access to the affected Simply Poll installation; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 9, 2026
CVE published
June 9, 2026
Record updated