CVE-2024-50490: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability has been identified in the WordPress PegaPoll plugin, affecting versions through 1.0.2. The vulnerability, tracked as CVE-2024-50490, allows unauthorized access to functionality not properly constrained by Access Control Lists (ACLs). This critical security issue was discovered and reported on October 25, 2024 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from insufficient sanitization of user-supplied inputs in the application, which can lead to privilege elevation. The vulnerability is classified under CWE-862 (Missing Authorization) (Patchstack, FortiGuard).

The vulnerability allows remote attackers to escalate their privileges on vulnerable systems. If successfully exploited, attackers could potentially gain full control of the website if high privileges are obtained. The vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack, FortiGuard).

Currently, there is no official fix available from the vendor. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures (Patchstack).