CVE-2026-8995

An authenticated attacker with subscriber-level access or higher sends a POST request to the WordPress AJAX endpoint with the action parameter set to `ays_poll_get_user_information`. The handler lacks nonce verification and performs no capability check beyond verifying the user is logged in, so any authenticated user can trigger it [ref_id=1]. The response returns the full `WP_User` object, which includes the bcrypt password hash (`user_pass`), email, login name, registration date, roles, and capabilities — data that WordPress does not expose through any standard interface [ref_id=2]. The attacker can then use the leaked password hash in offline password-cracking attacks.

The vulnerable AJAX action `ays_poll_get_user_information` is registered in `class-poll-maker-ays.php` for both authenticated and unauthenticated users via `wp_ajax_ays_poll_get_user_information` and `wp_ajax_nopriv_ays_poll_get_user_information` hooks [ref_id=1]. The handler is defined in the public-facing class `Poll_Maker_Ays_Public` and, according to the advisory, serializes and returns the complete `WP_User` object — including `user_pass`, `user_email`, `user_login`, `user_registered`, `roles`, and all capabilities — without any nonce verification or capability check beyond `is_user_logged_in()` [ref_id=2].

The patch in version 6.3.8 removes the registration of the `ays_poll_get_user_information` AJAX action entirely — both the `wp_ajax_` and `wp_ajax_nopriv_` hooks are deleted from `define_public_hooks()` [ref_id=2]. By eliminating the endpoint, the plugin no longer exposes the `WP_User` object to any user, closing the information disclosure. The advisory does not specify whether a nonce or capability check was added because the entire action was removed.