CVE-2025-12620 is a SQL Injection vulnerability identified in the WordPress plugin Poll Maker – Versus Polls, Anonymous Polls, Image Polls, versions up to and including 6.0.7. The root cause is insufficient escaping and lack of proper preparation of the 'filterbyauthor' parameter in SQL queries, which allows an authenticated attacker with administrator privileges to append arbitrary SQL commands to existing queries. This vulnerability falls under CWE-89, indicating improper neutralization of special elements in SQL commands. The attack vector is network-based with low attack complexity, requiring high privileges but no user interaction. Successful exploitation can lead to unauthorized disclosure of sensitive information from the backend database, compromising confidentiality. However, it does not affect data integrity or availability. The CVSS v3.1 score is 4.9 (medium), reflecting the limited scope due to required privileges and no direct impact on integrity or availability. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with administrator accounts exposed or compromised. The lack of a patch at the time of reporting necessitates interim mitigations such as restricting administrator access, monitoring database queries, and applying web application firewall rules to detect suspicious SQL patterns.

For European organizations, this vulnerability presents a risk of sensitive data exposure from WordPress sites using the affected Poll Maker plugin. Since exploitation requires administrator-level access, the primary impact is on organizations with weak internal access controls or compromised administrator credentials. Confidentiality of user data, poll results, or other stored information could be compromised, potentially violating GDPR and other data protection regulations. While the vulnerability does not affect data integrity or availability, the leakage of sensitive information can lead to reputational damage, regulatory fines, and loss of customer trust. Organizations running public-facing WordPress sites with this plugin are particularly at risk. The medium severity rating reflects the need for privileged access, but the potential impact on data confidentiality remains significant. European entities in sectors such as media, education, and public services that use polling plugins for engagement may be targeted to extract sensitive information.

1. Monitor the vendor’s announcements closely and apply official patches immediately once released. 2. Until a patch is available, restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Implement strict input validation and sanitization on the 'filterbyauthor' parameter if custom code modifications are possible. 4. Use parameterized queries or prepared statements in any custom plugin modifications to prevent SQL injection. 5. Deploy Web Application Firewalls (WAF) with rules targeting SQL injection patterns, specifically monitoring requests containing the 'filterbyauthor' parameter. 6. Regularly audit administrator accounts and monitor logs for suspicious activities or unusual database queries. 7. Consider disabling or replacing the vulnerable plugin with a secure alternative if patching is delayed. 8. Educate administrators on the risks of SQL injection and the importance of secure credential management.