CVE-2024-56295: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the Poll Maker – Versus Polls, Anonymous Polls, Image Polls WordPress plugin affecting versions up to and including 5.5.6. The vulnerability was discovered by Nosa "apapedulimu" Shandy and was publicly disclosed on January 3, 2025. The issue has been assigned CVE-2024-56295 and affects the plugin's access control implementation (WPScan, Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue, where the plugin fails to implement proper capability checks on certain functions. It has received a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The vulnerability allows unauthenticated attackers to perform unauthorized actions due to incorrectly configured access control security levels (Patchstack).

The vulnerability enables unauthenticated attackers to execute certain privileged actions within the Poll Maker plugin. This broken access control issue could potentially lead to unauthorized modifications or access to poll-related functionality (Patchstack).

The vulnerability has been patched in version 5.5.7 of the Poll Maker plugin. Users are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).