CVE-2025-49044: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in tosend.it Simple Poll WordPress plugin that allows Stored Cross-Site Scripting (XSS). The vulnerability affects Simple Poll versions up to 1.1.1 and was disclosed on August 14, 2025. The vulnerability was discovered by security researcher TAKERU OTSUKA (Patchstack, Wordfence).

The vulnerability has been assigned CVE-2025-49044 and received a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The issue allows unauthenticated attackers to perform CSRF attacks that can lead to stored XSS (Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication, potentially leading to stored cross-site scripting attacks. The software is considered abandoned as it hasn't been updated for over a year, increasing the security risk for users (Patchstack).

As there is no official fix available and the software is considered abandoned, users are strongly advised to remove and replace the Simple Poll plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).