The Poll Maker – Best WordPress Poll Plugin, widely used in WordPress environments to create interactive polls, contains a vulnerability identified as CVE-2024-3601. This vulnerability is classified under CWE-862 (Missing Authorization) and affects all plugin versions up to and including 5.1.8. The root cause is the absence of a capability check in the ays_poll_create_author function, which is responsible for author-related operations within the plugin. Due to this missing authorization, unauthenticated attackers can remotely enumerate email addresses stored or processed by the plugin by iteratively guessing characters, effectively extracting sensitive user data without any authentication or user interaction. The vulnerability has a CVSS v3.1 base score of 5.3, indicating a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality loss, specifically exposure of email addresses, without affecting data integrity or system availability. No patches or official fixes are currently linked, and no active exploitation has been reported. However, the vulnerability poses a privacy risk and could facilitate further targeted attacks such as phishing or social engineering if exploited.

The primary impact of CVE-2024-3601 is the unauthorized disclosure of email addresses belonging to users or poll participants on affected WordPress sites. This breach of confidentiality can lead to increased phishing attacks, spam campaigns, and social engineering exploits targeting exposed users. Although the vulnerability does not compromise data integrity or availability, the exposure of personally identifiable information (PII) can damage organizational reputation and violate privacy regulations such as GDPR or CCPA. Organizations relying on this plugin for customer engagement or data collection may face legal and compliance risks if user data is leaked. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate email enumeration at scale, potentially affecting a large number of sites globally. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability remains a significant privacy concern that could be weaponized in multi-stage attacks.

To mitigate CVE-2024-3601, organizations should first verify if their WordPress installations use the Poll Maker – Best WordPress Poll Plugin (ays-pro) and identify the plugin version. Since no official patch is currently linked, administrators should: 1) Temporarily disable or remove the plugin if email confidentiality is critical. 2) Restrict access to the plugin’s endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to functions related to ays_poll_create_author. 3) Employ rate limiting and IP blocking to prevent automated enumeration attempts. 4) Monitor web server logs for suspicious requests targeting poll creation or author enumeration functions. 5) Review and harden WordPress user roles and permissions to minimize exposure. 6) Stay updated with the plugin vendor’s announcements for forthcoming patches and apply them promptly. 7) Consider alternative polling plugins with verified security postures if immediate patching is not feasible. These steps go beyond generic advice by focusing on access control, monitoring, and proactive plugin management tailored to this specific vulnerability.