CVE-2026-39651

Root

Cause

The Total Poll Lite WordPress plugin versions up to and including 4.12.0 suffer from a missing authorization vulnerability. The flaw stems from an incorrect configuration of access control security levels, where privilege checks or nonce tokens are absent in certain functions. This allows any unauthenticated visitor to perform actions that should be reserved for higher-privileged users [1].

Attack

Vector

No authentication is required to trigger the vulnerability. An attacker can send crafted requests to the plugin's endpoints, bypassing intended permission checks. The issue is part of a class of mass-exploit vulnerabilities often used in campaigns that target thousands of WordPress sites simultaneously, regardless of their size or popularity [1].

Impact

Successful exploitation enables an attacker to execute higher-privileged actions without proper authorization. Depending on the specific function that lacks access control, this could lead to unauthorized data modification, content manipulation, or other administrative capabilities that compromise site integrity [1]. The CVSS v3 score of 6.5 reflects the medium severity of such broken access control flaws.

Mitigation

The vendor recommends updating Total Poll Lite to a version newer than 4.12.0. For those unable to update immediately, consulting a hosting provider or web developer for additional security measures is advised. The vulnerability is not yet known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].