CVE-2025-24577 identifies a missing authorization vulnerability in the Ays Pro Poll Maker software, affecting all versions up to 5.5.0. The core issue stems from incorrectly configured access control security levels, which fail to properly enforce authorization checks on sensitive operations within the polling application. This misconfiguration allows an attacker to bypass intended access restrictions and perform unauthorized actions such as viewing, modifying, or deleting poll data. The vulnerability does not require user interaction, making it easier to exploit if the attacker can reach the application interface. Although no public exploits have been reported yet, the flaw presents a significant risk due to the fundamental nature of access control failures. Poll Maker is used to create and manage online polls and surveys, often deployed in organizational environments where poll data confidentiality and integrity are critical. The absence of a CVSS score indicates that the vulnerability is newly disclosed, and no formal severity rating has been assigned. However, the missing authorization issue typically represents a high-risk security gap because it undermines core security principles. The vulnerability was reserved in January 2025 and published in April 2025, with no patches currently linked, indicating that users must rely on interim mitigations until an official fix is available.

The missing authorization vulnerability in Poll Maker can lead to unauthorized access and manipulation of poll data, potentially compromising the confidentiality and integrity of sensitive information collected through polls. Attackers could alter poll results, delete polls, or access restricted data, undermining trust in the polling process. For organizations relying on Poll Maker for decision-making or data collection, this could result in misinformation, reputational damage, and operational disruption. Since the vulnerability does not require user interaction and can be exploited remotely if the application is exposed, the attack surface is broad. The availability impact is likely limited but could occur if attackers disrupt poll services. The lack of authentication barriers means that attackers with network access to the application could exploit this flaw easily. This poses a significant risk to organizations worldwide that use Poll Maker, especially those in sectors like market research, education, government, and any entity conducting sensitive surveys or polls.

Organizations should immediately audit and tighten access control configurations in their Poll Maker deployments, ensuring that only authorized users can perform sensitive operations. Restrict network access to the Poll Maker application by implementing firewall rules or VPN requirements to limit exposure to trusted users only. Monitor application logs for unusual access patterns or unauthorized activity indicative of exploitation attempts. Until an official patch is released by Ays Pro, consider disabling or limiting features that allow poll creation or modification by non-administrative users. Engage with the vendor to obtain timelines for patches and apply them promptly once available. Additionally, implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting authorization bypass attempts. Conduct regular security assessments and penetration testing focused on access control mechanisms to identify and remediate similar issues proactively.