VYPR
← All advisories
High severity8.2NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2016-20062

CVE-2016-20062

Description

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST parameter. Attackers can send requests to the admin-ajax.php endpoint with the 'spAjaxResults' action and malicious 'pollid' values to execute arbitrary SQL queries and read sensitive data from the WordPress database.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The plugin does not properly sanitize the 'pollid' POST parameter before using it in SQL queries."

Attack vector

An unauthenticated attacker can exploit this vulnerability by sending a POST request to the `admin-ajax.php` endpoint with the `action` parameter set to `spAjaxResults` and a malicious value in the `pollid` parameter [ref_id=1]. This allows the attacker to inject arbitrary SQL code, enabling them to read sensitive data from the WordPress database [ref_id=1]. The exploit can be automated using tools like sqlmap [ref_id=1].

Affected code

The vulnerability lies within the Simply Poll WordPress plugin, specifically in version 1.4.1. The 'pollid' POST parameter is identified as the vulnerable input point [ref_id=1]. The plugin processes this parameter when the `action` is set to `spAjaxResults` and sends it to the `admin-ajax.php` file.

What the fix does

The advisory does not specify a patch or provide details on how the vulnerability is fixed. It states that the vulnerability was not fixed at the time of the exploit's release [ref_id=1]. Therefore, the recommended remediation is to update the Simply Poll plugin to a version that addresses this SQL injection vulnerability, although no specific fixed version is mentioned.

Preconditions

  • inputThe 'pollid' POST parameter must be controllable by the attacker.
  • networkThe attacker must be able to send HTTP POST requests to the target WordPress site.
  • authNo authentication is required to exploit this vulnerability.

Reproduction

sqlmap -u "http://example.com/wp-admin/admin-ajax.php" --data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 [ref_id=1]

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.