CVE-2024-9874 identifies a time-based SQL Injection vulnerability in the Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress, versions up to and including 5.4.6. The vulnerability arises from improper neutralization of special characters in the 'orderby' parameter, which is used in SQL queries without sufficient escaping or prepared statements. This allows an authenticated attacker with Administrator-level access or higher to inject malicious SQL code appended to legitimate queries. The attack vector is network-based with no user interaction required beyond authentication. Exploiting this flaw enables attackers to extract sensitive information from the backend database by leveraging time delays in query responses to infer data. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Although the CVSS v3.1 base score is 4.9 (medium), the impact on confidentiality is high, while integrity and availability remain unaffected. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability affects all versions of the plugin up to 5.4.6, which is widely used in WordPress environments for creating various types of polls.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress database, which may include user data, configuration details, or other confidential content managed by the plugin or the WordPress site. Since exploitation requires Administrator-level access, the threat is mainly from insider threats or compromised admin accounts. However, if an attacker gains admin credentials through phishing, credential stuffing, or other means, they could leverage this vulnerability to escalate data exfiltration capabilities. The vulnerability does not allow modification or deletion of data, nor does it cause denial of service, limiting its impact to confidentiality breaches. Organizations relying on this plugin for poll management risk exposure of sensitive internal data, which could lead to privacy violations, regulatory non-compliance, and reputational damage. The medium CVSS score reflects the balance between the high confidentiality impact and the requirement for high privileges.

To mitigate this vulnerability, organizations should immediately upgrade the Poll Maker plugin to a version that addresses this issue once available. In the absence of an official patch, administrators should restrict plugin access strictly to trusted users and consider disabling or removing the plugin if not essential. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns in the 'orderby' parameter can provide temporary protection. Additionally, enforcing strong authentication mechanisms such as multi-factor authentication (MFA) for all administrator accounts reduces the risk of credential compromise. Regularly auditing user privileges to ensure only necessary users have admin rights will limit the attack surface. Monitoring database query logs for unusual time delays or anomalies may help detect exploitation attempts. Finally, developers should refactor the plugin code to use parameterized queries or prepared statements to prevent SQL injection vulnerabilities.