CVE-2025-12620 identifies an SQL Injection vulnerability in the WordPress plugin 'Poll Maker – Versus Polls, Anonymous Polls, Image Polls' developed by ays-pro. The vulnerability arises from improper neutralization of special elements in the 'filterbyauthor' parameter, which is used in SQL queries without adequate escaping or prepared statements. This allows an authenticated attacker with Administrator-level privileges or higher to append arbitrary SQL commands to existing queries. The attack vector is network-based, requiring no user interaction but necessitating elevated privileges, limiting the attack surface to trusted users with admin access. The vulnerability impacts all versions up to and including 6.0.7 of the plugin. Exploiting this flaw can lead to unauthorized disclosure of sensitive information stored in the database, such as user data or configuration details, but does not allow modification or deletion of data, nor does it affect system availability. The CVSS v3.1 base score is 4.9, reflecting medium severity due to the requirement for high privileges and the limited scope of impact. No patches have been linked yet, and no known exploits are reported in the wild. The vulnerability is categorized under CWE-89, which covers SQL Injection issues stemming from improper input validation and query construction.

For European organizations, this vulnerability poses a risk of sensitive data exposure if the affected plugin is used on WordPress sites, especially those managing polls or user-generated content. Since exploitation requires Administrator-level access, the threat mainly concerns insider threats or compromised admin accounts. Data leakage could include personally identifiable information (PII), internal configuration, or other sensitive database contents, potentially violating GDPR and other data protection regulations. The impact on confidentiality is high, but integrity and availability remain unaffected. Organizations relying on this plugin for public or internal polling services could face reputational damage and compliance issues if exploited. The absence of known exploits reduces immediate risk, but the presence of the vulnerability in widely deployed WordPress environments means attackers could develop exploits in the future. European companies with high WordPress usage and those in regulated sectors (finance, healthcare, government) should be particularly vigilant.

Immediate mitigation should include restricting Administrator-level access to trusted personnel and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Organizations should monitor logs for unusual SQL query patterns or unexpected database access from admin accounts. Since no official patch is currently linked, administrators should consider temporarily disabling or removing the vulnerable plugin if feasible. Alternatively, applying manual code review and patching to sanitize the 'filterbyauthor' parameter using prepared statements or parameterized queries can mitigate the risk. Regular backups and database encryption can limit data exposure impact. Additionally, implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this parameter can provide a protective layer. Organizations should subscribe to vendor updates and apply official patches promptly once available.