Skip to main content

PegaPoll CVE-2024-50490

CRITICAL
Missing Authorization (CWE-862)
2024-10-29 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Oct 29, 2024 - 09:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in lowcage PegaPoll pegapoll allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects PegaPoll: from n/a through <= 1.0.2.

AnalysisAI

Authorization bypass in the PegaPoll WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to invoke plugin functionality that should be restricted by ACLs. The flaw was reported by Patchstack and carries a critical CVSS of 9.8 alongside an unusually high EPSS of 52.44% (98th percentile), indicating elevated exploitation likelihood relative to typical CVEs, though no public exploit identified at time of analysis and not present in CISA KEV.

Technical ContextAI

PegaPoll is a polling plugin developed by lowcage for the WordPress ecosystem, which exposes administrative or restricted functions through AJAX or REST endpoints typical of WordPress plugin architecture. The root cause is CWE-862 (Missing Authorization), meaning the plugin fails to perform capability or nonce checks (such as current_user_can() or check_ajax_referer()) before executing sensitive operations, allowing any unauthenticated visitor to reach functionality intended for privileged users. This is a recurring vulnerability class in the WordPress plugin ecosystem and the Patchstack reporter routinely identifies such flaws in third-party plugins.

Affected ProductsAI

The vulnerability affects the PegaPoll WordPress plugin by lowcage in all versions from initial release through and including 1.0.2. No CPE string was provided in the input data, and the vendor advisory should be retrieved from Patchstack (audit@patchstack.com is the reporting CNA) for the precise enumeration of affected builds.

RemediationAI

No vendor-released patch identified at time of analysis; the description indicates the issue affects all versions up to and including 1.0.2 with no fixed version specified. Administrators should monitor the Patchstack advisory database and the WordPress plugin repository for an updated release above 1.0.2 and apply it immediately when available. As compensating controls until a patch ships, deactivate and remove the PegaPoll plugin entirely if polling functionality is not business-critical (side effect: loss of polling features and any stored poll data may become inaccessible), or place the plugin's AJAX/REST endpoints behind a Web Application Firewall rule that restricts access by authenticated session cookie or IP allowlist (side effect: may block legitimate poll submissions from end users), or use a WordPress hardening plugin such as Patchstack or Wordfence to apply virtual patches if a vPatch signature is published.

Share

CVE-2024-50490 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy