CVE-2025-12620 identifies a SQL Injection vulnerability in the WordPress plugin 'Poll Maker – Versus Polls, Anonymous Polls, Image Polls' developed by ays-pro. The vulnerability exists in all versions up to and including 6.0.7 and stems from improper neutralization of special elements in the 'filterbyauthor' parameter. Specifically, the plugin fails to sufficiently escape or prepare this user-supplied parameter before incorporating it into SQL queries. As a result, authenticated attackers with Administrator-level privileges or higher can append arbitrary SQL commands to existing queries. This can allow attackers to extract sensitive information from the underlying database, such as user data or configuration details. The vulnerability does not allow modification or deletion of data (integrity) nor does it impact availability. Exploitation requires no user interaction but does require high-level privileges, limiting the attack surface to trusted users who have already compromised administrator credentials or insider threats. There are no known public exploits or patches available at the time of publication. The CVSS v3.1 base score is 4.9, reflecting a medium severity rating due to the combination of network attack vector, low attack complexity, required privileges, and high confidentiality impact. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored in the WordPress database. Attackers with administrator access can leverage this flaw to extract confidential data, potentially including user credentials, personal information, or site configuration details. Although the vulnerability does not allow data modification or service disruption, the exposure of sensitive data can lead to further attacks such as privilege escalation, identity theft, or targeted phishing campaigns. Organizations running WordPress sites with this plugin installed are at risk, especially if administrator credentials are compromised or insider threats exist. The medium severity rating reflects the limited attack vector (authenticated admins only) but significant confidentiality impact. The lack of known exploits reduces immediate risk, but the vulnerability could be weaponized if exploited in the wild. This threat is particularly relevant for websites relying on polling functionality for user engagement, including political campaigns, market research, or community feedback platforms.

1. Immediately restrict administrator-level access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor database query logs for unusual or unexpected SQL commands that may indicate attempted exploitation of this vulnerability. 3. Disable or uninstall the 'Poll Maker – Versus Polls, Anonymous Polls, Image Polls' plugin if it is not essential to reduce the attack surface. 4. Apply security hardening measures on the WordPress installation, including regular updates of core, themes, and plugins once a patch for this vulnerability is released. 5. If a patch is not yet available, consider implementing web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'filterbyauthor' parameter. 6. Conduct regular security audits and penetration tests focusing on plugins and custom code to identify similar injection flaws. 7. Educate administrators on the risks of SQL injection and the importance of secure coding and parameter handling in plugins.