CVE-2024-12575: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ays-pro Poll Maker – Versus Polls, Anonymous Polls, Image Polls
CVE-2024-12575 is a medium-severity vulnerability in the WordPress plugin Poll Maker – Versus Polls, Anonymous Polls, Image Polls (versions up to 5. 8. 9). It allows unauthenticated attackers to exploit the 'ays_finish_poll' AJAX action to retrieve sensitive admin email information exposed in poll responses. This exposure does not require user interaction or authentication and affects all versions of the plugin up to 5. 8. 9. Although the vulnerability only leaks email addresses and does not impact integrity or availability, it can facilitate targeted phishing or social engineering attacks. No known exploits are currently reported in the wild. Organizations using this plugin should prioritize patching or mitigating this issue to protect administrator contact information from unauthorized disclosure.
AI Analysis
Technical Summary
CVE-2024-12575 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the WordPress plugin Poll Maker – Versus Polls, Anonymous Polls, Image Polls, developed by ays-pro. The flaw exists in all versions up to and including 5.8.9 and is triggered via the 'ays_finish_poll' AJAX action. This endpoint improperly exposes the administrator's email address in the poll response data, allowing unauthenticated attackers to retrieve this sensitive information without any user interaction or privileges. The vulnerability is remotely exploitable over the network (AV:N), requires no authentication (PR:N), and has low attack complexity (AC:L). The confidentiality impact is limited to the disclosure of admin email addresses, with no impact on integrity or availability. The CVSS v3.1 base score is 5.3, indicating a medium severity level. No patches or fixes are currently linked, and no active exploitation has been reported. The exposure of admin emails can facilitate further attacks such as spear phishing or targeted social engineering campaigns against site administrators.
Potential Impact
The primary impact of CVE-2024-12575 is the unauthorized disclosure of administrator email addresses from WordPress sites using the vulnerable Poll Maker plugin. This information leakage can enable attackers to conduct targeted phishing, spear phishing, or social engineering attacks against site administrators, potentially leading to credential compromise or further exploitation. While the vulnerability does not directly affect system integrity or availability, the exposure of sensitive contact information increases the attack surface and risk profile of affected organizations. Websites relying on this plugin may face reputational damage if attackers leverage the disclosed emails for malicious campaigns. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic scanning and data harvesting by attackers.
Mitigation Recommendations
1. Immediately update the Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin to a version that addresses this vulnerability once available. 2. If no patch is currently available, disable or remove the plugin temporarily to prevent exploitation. 3. Implement web application firewall (WAF) rules to block or restrict access to the 'ays_finish_poll' AJAX action endpoint from unauthenticated users. 4. Monitor web server logs for unusual or repeated requests to the vulnerable AJAX action to detect potential exploitation attempts. 5. Educate administrators about the risk of phishing and social engineering attacks, especially if their email addresses may have been exposed. 6. Consider obfuscating or limiting publicly exposed administrator contact information on the website to reduce attack surface. 7. Regularly audit installed WordPress plugins for vulnerabilities and maintain an up-to-date inventory to facilitate timely patching.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, India, Brazil, Japan
CVE-2024-12575: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ays-pro Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Description
CVE-2024-12575 is a medium-severity vulnerability in the WordPress plugin Poll Maker – Versus Polls, Anonymous Polls, Image Polls (versions up to 5. 8. 9). It allows unauthenticated attackers to exploit the 'ays_finish_poll' AJAX action to retrieve sensitive admin email information exposed in poll responses. This exposure does not require user interaction or authentication and affects all versions of the plugin up to 5. 8. 9. Although the vulnerability only leaks email addresses and does not impact integrity or availability, it can facilitate targeted phishing or social engineering attacks. No known exploits are currently reported in the wild. Organizations using this plugin should prioritize patching or mitigating this issue to protect administrator contact information from unauthorized disclosure.
AI-Powered Analysis
Technical Analysis
CVE-2024-12575 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the WordPress plugin Poll Maker – Versus Polls, Anonymous Polls, Image Polls, developed by ays-pro. The flaw exists in all versions up to and including 5.8.9 and is triggered via the 'ays_finish_poll' AJAX action. This endpoint improperly exposes the administrator's email address in the poll response data, allowing unauthenticated attackers to retrieve this sensitive information without any user interaction or privileges. The vulnerability is remotely exploitable over the network (AV:N), requires no authentication (PR:N), and has low attack complexity (AC:L). The confidentiality impact is limited to the disclosure of admin email addresses, with no impact on integrity or availability. The CVSS v3.1 base score is 5.3, indicating a medium severity level. No patches or fixes are currently linked, and no active exploitation has been reported. The exposure of admin emails can facilitate further attacks such as spear phishing or targeted social engineering campaigns against site administrators.
Potential Impact
The primary impact of CVE-2024-12575 is the unauthorized disclosure of administrator email addresses from WordPress sites using the vulnerable Poll Maker plugin. This information leakage can enable attackers to conduct targeted phishing, spear phishing, or social engineering attacks against site administrators, potentially leading to credential compromise or further exploitation. While the vulnerability does not directly affect system integrity or availability, the exposure of sensitive contact information increases the attack surface and risk profile of affected organizations. Websites relying on this plugin may face reputational damage if attackers leverage the disclosed emails for malicious campaigns. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic scanning and data harvesting by attackers.
Mitigation Recommendations
1. Immediately update the Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin to a version that addresses this vulnerability once available. 2. If no patch is currently available, disable or remove the plugin temporarily to prevent exploitation. 3. Implement web application firewall (WAF) rules to block or restrict access to the 'ays_finish_poll' AJAX action endpoint from unauthenticated users. 4. Monitor web server logs for unusual or repeated requests to the vulnerable AJAX action to detect potential exploitation attempts. 5. Educate administrators about the risk of phishing and social engineering attacks, especially if their email addresses may have been exposed. 6. Consider obfuscating or limiting publicly exposed administrator contact information on the website to reduce attack surface. 7. Regularly audit installed WordPress plugins for vulnerabilities and maintain an up-to-date inventory to facilitate timely patching.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-12T15:46:31.908Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e43b7ef31ef0b59bf03
Added to database: 2/25/2026, 9:48:51 PM
Last enriched: 2/26/2026, 3:42:50 AM
Last updated: 2/26/2026, 8:07:28 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighFinding Signal in the Noise: Lessons Learned Running a Honeypot with AI Assistance [Guest Diary], (Tue, Feb 24th)
MediumCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.