CVE-2024-13426 identifies a SQL Injection vulnerability in the WP-Polls plugin for WordPress, affecting all versions up to and including 2.77.2. The root cause is insufficient escaping and lack of prepared statements when processing a user-supplied COOKIE parameter. This allows unauthenticated attackers to append arbitrary SQL queries to existing database commands. Although the injected queries do not return results directly to the attacker, limiting direct data exfiltration, the vulnerability can be chained with stored Cross-Site Scripting (XSS) attacks by injecting malicious JavaScript payloads into the database. This stored XSS can execute in the context of users visiting the affected site, potentially leading to session hijacking, privilege escalation, or further compromise. The attack vector is remote and requires no authentication, but the attack complexity is high due to the need for precise payload crafting and the absence of direct feedback from the database. The vulnerability affects the confidentiality and integrity of the data managed by the plugin but does not impact availability. No public exploits have been reported yet, but the presence of stored XSS increases the risk profile. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The primary impact of CVE-2024-13426 is on the confidentiality and integrity of data managed by the WP-Polls plugin. Attackers can inject arbitrary SQL commands, potentially modifying or corrupting poll data. The stored XSS component enables execution of malicious scripts in users' browsers, risking session hijacking, credential theft, or further exploitation of the site. Although direct data exfiltration via SQL Injection is limited, the combined SQLi and stored XSS can lead to significant compromise of site security and user trust. Organizations relying on WP-Polls for user engagement or data collection may face reputational damage, data integrity issues, and increased risk of broader site compromise. The vulnerability does not affect system availability directly, but exploitation could lead to indirect denial of service through corrupted data or administrative lockout. Given the widespread use of WordPress and the popularity of polling plugins, the scope of affected systems is substantial, especially for sites that have not applied updates or mitigations.

1. Immediate upgrade to a patched version of WP-Polls once released by the vendor. Since no patch links are currently available, monitor official sources closely. 2. In the interim, implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns in COOKIE headers targeting the WP-Polls plugin. 3. Employ input validation and sanitization at the application level to reject malformed or unexpected COOKIE values. 4. Disable or remove the WP-Polls plugin if it is not essential to reduce attack surface. 5. Conduct regular security audits and code reviews of WordPress plugins to identify similar injection flaws. 6. Use Content Security Policy (CSP) headers to mitigate the impact of stored XSS by restricting script execution sources. 7. Monitor logs for unusual database queries or web requests that may indicate attempted exploitation. 8. Educate site administrators on the risks of using outdated plugins and the importance of timely updates. 9. Consider isolating the WordPress environment and limiting database permissions for plugins to minimize potential damage from injection attacks.