Skip to main content

Total Poll Lite EUVDEUVD-2026-15759

| CVE-2026-27044 CRITICAL
Code Injection (CWE-94)
2026-03-25 Patchstack GHSA-83q4-w7hc-jf49
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15759
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.9

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Remote Code Inclusion.This issue affects Total Poll Lite: from n/a through <= 4.12.0.

AnalysisAI

Total Poll Lite, a WordPress plugin, contains an improper code injection vulnerability (CWE-94) that allows remote code inclusion and execution. All versions up to and including 4.12.0 are affected. An attacker can exploit this vulnerability to achieve remote code execution (RCE) on WordPress installations running the vulnerable plugin, potentially gaining full control of the affected web application.

Technical ContextAI

The vulnerability resides in the TotalSuite Total Poll Lite WordPress plugin (CPE: cpe:2.3:a:totalsuite:total_poll_lite:*:*:*:*:*:*:*:*), which is classified under CWE-94 (Improper Control of Generation of Code). This CWE category encompasses vulnerabilities where an application dynamically constructs and executes code (such as PHP eval statements or dynamic file inclusion) without proper sanitization or validation of user-supplied input. In the context of WordPress plugins, this typically manifests as unsafe use of PHP functions like eval(), include(), require(), or similar dynamic code execution mechanisms that process attacker-controlled parameters. The vulnerability enables remote code inclusion, meaning an attacker can cause the server to include and execute arbitrary code from remote or local sources.

RemediationAI

Immediately upgrade Total Poll Lite to a patched version beyond 4.12.0 through the WordPress plugin update mechanism or directly from the vendor's repository. Users should navigate to Plugins > Installed Plugins in the WordPress admin panel and update Total Poll Lite to the latest available version. Consult the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/totalpoll-lite/vulnerability/wordpress-total-poll-lite-plugin-4-12-0-remote-code-execution-rce-vulnerability?_s_id=cve) for specific patched version information and vendor advisories. As an interim measure prior to patching, disable the Total Poll Lite plugin entirely and consider restricting admin access via Web Application Firewalls (WAF) rules, limiting plugin functionality to authenticated users only, or implementing network-level access controls to the WordPress admin interface.

Share

EUVD-2026-15759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy