Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Remote Code Inclusion.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
AnalysisAI
Total Poll Lite, a WordPress plugin, contains an improper code injection vulnerability (CWE-94) that allows remote code inclusion and execution. All versions up to and including 4.12.0 are affected. An attacker can exploit this vulnerability to achieve remote code execution (RCE) on WordPress installations running the vulnerable plugin, potentially gaining full control of the affected web application.
Technical ContextAI
The vulnerability resides in the TotalSuite Total Poll Lite WordPress plugin (CPE: cpe:2.3:a:totalsuite:total_poll_lite:*:*:*:*:*:*:*:*), which is classified under CWE-94 (Improper Control of Generation of Code). This CWE category encompasses vulnerabilities where an application dynamically constructs and executes code (such as PHP eval statements or dynamic file inclusion) without proper sanitization or validation of user-supplied input. In the context of WordPress plugins, this typically manifests as unsafe use of PHP functions like eval(), include(), require(), or similar dynamic code execution mechanisms that process attacker-controlled parameters. The vulnerability enables remote code inclusion, meaning an attacker can cause the server to include and execute arbitrary code from remote or local sources.
RemediationAI
Immediately upgrade Total Poll Lite to a patched version beyond 4.12.0 through the WordPress plugin update mechanism or directly from the vendor's repository. Users should navigate to Plugins > Installed Plugins in the WordPress admin panel and update Total Poll Lite to the latest available version. Consult the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/totalpoll-lite/vulnerability/wordpress-total-poll-lite-plugin-4-12-0-remote-code-execution-rce-vulnerability?_s_id=cve) for specific patched version information and vendor advisories. As an interim measure prior to patching, disable the Total Poll Lite plugin entirely and consider restricting admin access via Web Application Firewalls (WAF) rules, limiting plugin functionality to authenticated users only, or implementing network-level access controls to the WordPress admin interface.
More in Total Poll Lite
View allSame weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15759
GHSA-83q4-w7hc-jf49