PegaPoll CVE-2024-50490
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in lowcage PegaPoll pegapoll allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects PegaPoll: from n/a through <= 1.0.2.
AnalysisAI
Authorization bypass in the PegaPoll WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to invoke plugin functionality that should be restricted by ACLs. The flaw was reported by Patchstack and carries a critical CVSS of 9.8 alongside an unusually high EPSS of 52.44% (98th percentile), indicating elevated exploitation likelihood relative to typical CVEs, though no public exploit identified at time of analysis and not present in CISA KEV.
Technical ContextAI
PegaPoll is a polling plugin developed by lowcage for the WordPress ecosystem, which exposes administrative or restricted functions through AJAX or REST endpoints typical of WordPress plugin architecture. The root cause is CWE-862 (Missing Authorization), meaning the plugin fails to perform capability or nonce checks (such as current_user_can() or check_ajax_referer()) before executing sensitive operations, allowing any unauthenticated visitor to reach functionality intended for privileged users. This is a recurring vulnerability class in the WordPress plugin ecosystem and the Patchstack reporter routinely identifies such flaws in third-party plugins.
Affected ProductsAI
The vulnerability affects the PegaPoll WordPress plugin by lowcage in all versions from initial release through and including 1.0.2. No CPE string was provided in the input data, and the vendor advisory should be retrieved from Patchstack (audit@patchstack.com is the reporting CNA) for the precise enumeration of affected builds.
RemediationAI
No vendor-released patch identified at time of analysis; the description indicates the issue affects all versions up to and including 1.0.2 with no fixed version specified. Administrators should monitor the Patchstack advisory database and the WordPress plugin repository for an updated release above 1.0.2 and apply it immediately when available. As compensating controls until a patch ships, deactivate and remove the PegaPoll plugin entirely if polling functionality is not business-critical (side effect: loss of polling features and any stored poll data may become inaccessible), or place the plugin's AJAX/REST endpoints behind a Web Application Firewall rule that restricts access by authenticated session cookie or IP allowlist (side effect: may block legitimate poll submissions from end users), or use a WordPress hardening plugin such as Patchstack or Wordfence to apply virtual patches if a vPatch signature is published.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today