CVE-2024-12575: 
WordPress vulnerability analysis and mitigation

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress contains a Basic Information Exposure vulnerability affecting all versions up to and including 5.8.9. The vulnerability was disclosed on August 15, 2025, and has been assigned CVE-2024-12575 (NVD).

The vulnerability exists in the 'aysfinishpoll' AJAX action functionality of the plugin. It allows unauthenticated attackers to retrieve administrator email information that is exposed in the poll response. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no privileges required. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (Wordfence).

The vulnerability allows unauthorized access to administrator email information through poll responses, potentially exposing sensitive contact information that could be used for targeted attacks or spam campaigns (NVD).

The vulnerability has been patched in version 5.9.0 of the Poll Maker plugin. Users are advised to update to this version or later to protect against potential exploitation (WordPress Plugin).