Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
AnalysisAI
TotalSuite Total Poll Lite plugin for WordPress versions up to 4.12.0 allows authenticated users to bypass access controls and modify poll data due to missing authorization checks on administrative functions. An authenticated attacker with low privileges can exploit incorrectly configured access control security levels to read, modify, or delete poll content without proper authorization, achieving a CVSS score of 6.3 with low exploitation probability (EPSS 0.02%).
Technical ContextAI
This vulnerability stems from a missing authorization flaw (CWE-862) in the Total Poll Lite WordPress plugin, where backend functionality fails to properly validate user permissions before executing sensitive operations. The plugin implements access control security levels but does not correctly enforce these restrictions across all administrative endpoints. WordPress plugin vulnerabilities of this class typically arise when role-based access control (RBAC) checks are omitted from AJAX handlers, REST API endpoints, or admin-ajax actions, allowing authenticated users of lower privilege levels (e.g., subscribers or contributors) to invoke capabilities reserved for administrators. The CPE string cpe:2.3:a:totalsuite:total_poll_lite:*:*:*:*:*:*:*:* encompasses all versions through 4.12.0, indicating a wide attack surface across multiple installations.
RemediationAI
Update TotalSuite Total Poll Lite to a version newer than 4.12.0 immediately via the WordPress admin dashboard (Plugins → Installed Plugins → Total Poll Lite → Update). If a patched version is available in the WordPress repository, it will be offered as an automatic update. Administrators should verify the updated version number after installation. As an interim workaround pending patching, restrict WordPress user roles to administrators only for sites where non-administrator poll access is not essential, and audit existing user accounts to remove unnecessary elevated permissions. For sites requiring poll functionality across multiple user roles, closely monitor access logs for suspicious administrative actions by low-privilege accounts until patched. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/totalpoll-lite/vulnerability/wordpress-total-poll-lite-plugin-4-12-0-broken-access-control-vulnerability for additional context and any workaround recommendations from the vendor.
More in Total Poll Lite
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20317
GHSA-4483-ppjr-hhm4