CVE-2024-3601 - Vulnerability Details - OpenCVE

The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to extract email addresses by enumerating them one character at a time.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ays-pro	Poll Maker

Configuration 1 [-]

cpe:2.3:a:ays-pro:poll_maker:*:*:*:*:free:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc0505a1-c7c4-4cf1-97cd-123a4dddcea3?source=cve

History

Wed, 28 May 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ays-pro Ays-pro poll Maker
Weaknesses		CWE-862
CPEs		cpe:2.3:a:ays-pro:poll_maker:::::free:wordpress::
Vendors & Products		Ays-pro Ays-pro poll Maker

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-02T16:52:54.169Z

Updated: 2024-08-01T20:12:07.969Z

Reserved: 2024-04-10T16:11:23.125Z

Link: CVE-2024-3601

Vulnrichment

Updated: 2024-08-01T20:12:07.969Z

NVD

Status : Analyzed

Published: 2024-05-02T17:15:27.903

Modified: 2025-05-28T18:43:16.510

Link: CVE-2024-3601

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3601", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-04-10T16:11:23.125Z", "datePublished": "2024-05-02T16:52:54.169Z", "dateUpdated": "2024-08-01T20:12:07.969Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:54.169Z"}, "affected": [{"vendor": "ays-pro", "product": "Poll Maker \u2013 Best WordPress Poll Plugin", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Poll Maker \u2013 Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to extract email addresses by enumerating them one character at a time."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc0505a1-c7c4-4cf1-97cd-123a4dddcea3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2024-04-18T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "ays-pro", "product": "poll_maker", "cpes": ["cpe:2.3:a:ays-pro:poll_maker:*:*:*:*:*:wordpress:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-02T19:49:48.192975Z", "id": "CVE-2024-3601", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T19:24:37.442Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:07.969Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc0505a1-c7c4-4cf1-97cd-123a4dddcea3?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc0505a1-c7c4-4cf1-97cd-123a4dddcea3?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:07.969Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3601", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T19:49:48.192975Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ays-pro:poll_maker:*:*:*:*:*:wordpress:*:*"], "vendor": "ays-pro", "product": "poll_maker", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.1.8"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-02T19:50:23.650Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "ays-pro", "product": "Poll Maker \u2013 Best WordPress Poll Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-04-18T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc0505a1-c7c4-4cf1-97cd-123a4dddcea3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Poll Maker \u2013 Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to extract email addresses by enumerating them one character at a time."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:52:54.169Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3601", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:12:07.969Z", "dateReserved": "2024-04-10T16:11:23.125Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-02T16:52:54.169Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ays-pro:poll_maker:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "B80DE823-D79A-4C8A-A758-154B7A3B60EA", "versionEndExcluding": "5.1.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Poll Maker \u2013 Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to extract email addresses by enumerating them one character at a time."}, {"lang": "es", "value": "El complemento Poll Maker \u2013 Best WordPress Poll Plugin para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n ays_poll_create_author en todas las versiones hasta la 5.1.8 incluida. Esto hace posible que atacantes no autenticados extraigan direcciones de correo electr\u00f3nico enumer\u00e1ndolas un car\u00e1cter a la vez."}], "id": "CVE-2024-3601", "lastModified": "2025-05-28T18:43:16.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-02T17:15:27.903", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc0505a1-c7c4-4cf1-97cd-123a4dddcea3?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc0505a1-c7c4-4cf1-97cd-123a4dddcea3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}