HIGH 8.2

CVE-2016-20062: SQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft

A SQL injection flaw in the Simply Poll WordPress plugin version 1.4.1 allows attackers without login credentials to steal data directly from a site's database. By crafting malicious requests to the plugin's AJAX handler, an attacker can execute arbitrary database queries and extract sensitive information such as user credentials, posts, or custom data. The vulnerability requires no user interaction and can be exploited by anyone with network access to the affected WordPress site.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST parameter. Attackers can send requests to the admin-ajax.php endpoint with the 'spAjaxResults' action and malicious 'pollid' values to execute arbitrary SQL queries and read sensitive data from the WordPress database.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2016-20062 is a pre-authentication SQL injection vulnerability in Simply Poll 1.4.1 that exists in the plugin's AJAX action handler. The vulnerability stems from unsanitized user input in the 'pollid' POST parameter passed to the 'spAjaxResults' action at the admin-ajax.php endpoint. The plugin fails to properly escape or parameterize SQL queries, allowing attackers to inject arbitrary SQL syntax. Because this endpoint is publicly accessible and the vulnerable action lacks authentication checks, any remote client can send crafted payloads to read arbitrary data from the WordPress database. The attack vector is network-based, does not require user interaction, and operates in an isolation context with no authentication prerequisite.

Business impact

Organizations relying on Simply Poll 1.4.1 face a direct risk of data breach. Attackers can exfiltrate user credentials, private content, customer information, and other sensitive database records without authorization or audit trail friction. The exposure is especially critical for WordPress sites handling PII, payment data, or confidential business information. Site availability is not directly threatened, but the confidentiality and integrity of the database are compromised. Regulatory compliance implications (GDPR, PCI-DSS, HIPAA) may arise if the compromised data includes regulated information.

Affected systems

Simply Poll WordPress plugin version 1.4.1 is confirmed vulnerable. Sites using this plugin version with the default WordPress admin-ajax.php endpoint exposed to the internet are at risk. Wordpress sites without restrictive network controls or Web Application Firewalls are most vulnerable. The vulnerability does not require any specific WordPress version and affects any installation of the affected plugin.

Exploitability

This vulnerability has a high exploitability rating. It requires no authentication, no user interaction, and no special privileges. The attack is straightforward: an attacker crafts a POST request with a malicious SQL payload in the 'pollid' parameter directed at the admin-ajax.php endpoint with action='spAjaxResults'. Exploitation can be automated and scaled. Public disclosure and proof-of-concept tools lower the barrier further, though this CVE is not yet on the CISA Known Exploited Vulnerabilities list.

Remediation

The primary remediation is to update the Simply Poll plugin to a patched version released after the vulnerability publication date of 2026-06-09. Verify the vendor advisory for the specific patch version that resolves CWE-89 SQL injection. If an immediate patch is unavailable, disable or uninstall the Simply Poll plugin pending vendor release. As a temporary mitigation, restrict access to admin-ajax.php via Web Application Firewall rules that block suspicious 'spAjaxResults' requests or sanitize the 'pollid' parameter, though this is not a substitute for patching.

Patch guidance

Check the Simply Poll plugin repository or vendor security advisory for a version released after 2026-06-17 (the modification date) that explicitly addresses this SQL injection. Apply the patch through the WordPress plugin dashboard or manual upload, ensuring the plugin is deactivated before updating if recommended by the vendor. After patching, verify the plugin version has been incremented beyond 1.4.1 and test poll functionality to confirm normal operation. Review database access logs around the vulnerability publication window to detect possible prior exploitation.

Detection guidance

Monitor Web server access logs for POST requests to admin-ajax.php with action=spAjaxResults and suspicious 'pollid' parameter values containing SQL syntax (e.g., UNION, SELECT, OR '1'='1, --). Enable WordPress security logging plugins to capture AJAX activity. Conduct a database audit to identify any unusual query patterns or unauthorized data access in the timeframe between the plugin release and patching. Query WordPress user tables and audit logs to detect accounts created or modified during the exposure window. Network segmentation and intrusion detection systems should be tuned to flag SQL injection signatures targeting WordPress endpoints.

Why prioritize this

This vulnerability scores 8.2 CVSS (HIGH) with zero authentication requirements, network accessibility, and direct data exfiltration capability. It poses an immediate risk to any WordPress installation running Simply Poll 1.4.1 exposed to the internet. The attack surface (public AJAX endpoint) is trivial to locate and exploit. Organizations should treat patching as urgent, particularly if the site handles sensitive data. The combination of ease-of-exploitation and high impact on confidentiality justifies rapid remediation within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects: (1) Network-based attack vector with no authentication requirement (AV:N, PR:N), (2) Low attack complexity, meaning no special conditions are needed (AC:L), (3) Complete compromise of confidentiality (C:H) via unrestricted database read access, (4) Partial impact on integrity (I:L) in some SQL injection scenarios, and (5) No direct availability impact (A:N). The score does not account for widespread deployment or lack of KEV status; however, the practical risk remains high due to the plugin's common use and the public nature of the vulnerable endpoint.

Frequently asked questions

How do I know if my WordPress site is running Simply Poll 1.4.1?

Log into your WordPress admin dashboard, navigate to Plugins, and search for 'Simply Poll'. If installed, the plugin list will display its version number. Alternatively, check the file /wp-content/plugins/simply-poll/simply-poll.php and search for the version string. If you see version 1.4.1 or earlier, your site may be vulnerable.

Is there a workaround if I cannot patch immediately?

Temporary measures include: disabling the Simply Poll plugin (if not critical to your site), using a Web Application Firewall to block requests to admin-ajax.php with action=spAjaxResults, or implementing IP-based access controls to limit who can reach admin-ajax.php. However, these are not substitutes for patching. Patching is the definitive fix.

What data is most at risk if my site is exploited?

Attackers can read any data in the WordPress database, including user credentials (usernames, password hashes), email addresses, post content (published and draft), comments, plugin/theme configuration, and any custom data stored by other plugins. If e-commerce or membership plugins are active, payment data or member information may also be exposed.

Do I need to change passwords after patching?

Yes, as a precaution. If your site was exposed during the timeframe between the vulnerability publication (2026-06-09) and your patch deployment, assume database compromise. Reset all WordPress user passwords, especially administrative accounts. Review user accounts for unauthorized entries and check database activity logs for evidence of exploitation.

This analysis is based on the CVE record and vendor advisory information available as of the publication date. No exploit code is provided. Organizations must verify patch availability directly with the Simply Poll vendor before deploying updates. This vulnerability analysis is for informational purposes to support security decision-making; consult your organization's security team and incident response procedures for deployment in production environments. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance for your specific infrastructure. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).