Skip to main content

Total Poll Lite CVE-2026-39651

| EUVDEUVD-2026-20317 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-4483-ppjr-hhm4
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 10:22 NVD
6.3 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Apr 15, 2026 - 12:42 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
6.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20317
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0.

AnalysisAI

TotalSuite Total Poll Lite plugin for WordPress versions up to 4.12.0 allows authenticated users to bypass access controls and modify poll data due to missing authorization checks on administrative functions. An authenticated attacker with low privileges can exploit incorrectly configured access control security levels to read, modify, or delete poll content without proper authorization, achieving a CVSS score of 6.3 with low exploitation probability (EPSS 0.02%).

Technical ContextAI

This vulnerability stems from a missing authorization flaw (CWE-862) in the Total Poll Lite WordPress plugin, where backend functionality fails to properly validate user permissions before executing sensitive operations. The plugin implements access control security levels but does not correctly enforce these restrictions across all administrative endpoints. WordPress plugin vulnerabilities of this class typically arise when role-based access control (RBAC) checks are omitted from AJAX handlers, REST API endpoints, or admin-ajax actions, allowing authenticated users of lower privilege levels (e.g., subscribers or contributors) to invoke capabilities reserved for administrators. The CPE string cpe:2.3:a:totalsuite:total_poll_lite:*:*:*:*:*:*:*:* encompasses all versions through 4.12.0, indicating a wide attack surface across multiple installations.

RemediationAI

Update TotalSuite Total Poll Lite to a version newer than 4.12.0 immediately via the WordPress admin dashboard (Plugins → Installed Plugins → Total Poll Lite → Update). If a patched version is available in the WordPress repository, it will be offered as an automatic update. Administrators should verify the updated version number after installation. As an interim workaround pending patching, restrict WordPress user roles to administrators only for sites where non-administrator poll access is not essential, and audit existing user accounts to remove unnecessary elevated permissions. For sites requiring poll functionality across multiple user roles, closely monitor access logs for suspicious administrative actions by low-privilege accounts until patched. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/totalpoll-lite/vulnerability/wordpress-total-poll-lite-plugin-4-12-0-broken-access-control-vulnerability for additional context and any workaround recommendations from the vendor.

Share

CVE-2026-39651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy