The Poll Maker – Best WordPress Poll Plugin (versions up to 5.1.8) contains a missing authorization vulnerability (CWE-862) in the ays_poll_create_author function. Due to the absence of a capability check, unauthenticated attackers can enumerate email addresses by querying the system character-by-character. This vulnerability has a CVSS 3.1 base score of 5.3, reflecting a network attack vector with low complexity and no privileges or user interaction required. The impact is limited to confidentiality loss of email addresses, without affecting integrity or availability.

An attacker can extract email addresses from the vulnerable plugin without authentication, leading to partial confidentiality compromise. There is no impact on data integrity or system availability. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting access to the vulnerable plugin functionality or disabling the plugin if feasible to prevent unauthorized data enumeration.