CVE-2025-3470: 
WordPress vulnerability analysis and mitigation

The TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-3470) discovered on April 14, 2025. This vulnerability affects all versions up to and including 2.4.6. The issue exists in the s parameter due to insufficient escaping of user-supplied input and inadequate preparation of SQL queries (NVD, CVE).

The vulnerability is present in the plugin's handling of the s parameter, where user input is not properly escaped before being used in SQL queries. The issue specifically occurs in the admin/class-ts_poll_list.php file. The CVSS v3.1 score is 4.9 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. This indicates that while the vulnerability requires high privileges to exploit, it can lead to unauthorized access to sensitive information (NVD).

When exploited, this vulnerability allows authenticated attackers with Administrator-level access to append additional SQL queries to existing queries. This can be used to extract sensitive information from the database, potentially compromising the confidentiality of stored data (NVD).

Users should upgrade to a version newer than 2.4.6 when available. As this is a recently discovered vulnerability, users should monitor the plugin's official repository for security updates (NVD).