MEDIUM 4.3

CVE-2026-8995: Poll Maker WordPress Plugin Sensitive Information Exposure – Password Hash Disclosure

The Poll Maker – Versus Polls plugin for WordPress has a flaw that lets logged-in users see sensitive account information they shouldn't access, including password hashes. The vulnerability stems from an AJAX endpoint that returns the entire WordPress user object without proper security checks. Any subscriber or higher can call this endpoint and retrieve not just their own data, but potentially others' account details including email addresses, registration dates, roles, and capabilities. While the exposure doesn't immediately compromise an account, the password hash data could be targeted by offline cracking attempts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays_poll_get_user_information' AJAX action, which serializes and returns the complete WP_User object — including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities — without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks.

9 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8995 exploits insufficient access controls in the 'ays_poll_get_user_information' AJAX action within Poll Maker versions up to 6.3.7. The endpoint serializes and returns the complete WP_User object when called by any authenticated user, relying only on is_user_logged_in() for validation. It lacks both nonce verification and capability checks. The returned payload includes user_pass (bcrypt hash), user_email, user_login, user_registered, roles, and capabilities—data that WordPress ordinarily withholds from standard API queries. This represents CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), as the plugin exposes account secrets reserved by WordPress core.

Business impact

Organizations using Poll Maker risk user account metadata exposure across their WordPress instances. While CVSS 4.3 reflects limited direct impact, the real risk lies in credential compromise if password hashes are subjected to offline brute-force attacks. For multi-user sites, this creates a lateral-movement vector: lower-privileged users can enumerate and profile higher-privilege accounts. Data privacy concerns emerge if email addresses and registration histories are harvested at scale. The exposure also heightens compliance risk under GDPR and similar regulations if user data exfiltration is documented.

Affected systems

Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is affected in versions up to and including 6.3.7. The vulnerability requires WordPress to be installed and the plugin to be active. It is exploitable by any user account with subscriber-level access or higher, meaning contributor, author, editor, and administrator roles are all at risk of exposure. Multisite WordPress installations are also in scope if the plugin is activated.

Exploitability

Exploitation is straightforward for attackers with valid WordPress credentials. No user interaction is required beyond authenticating to the site; the AJAX endpoint is freely callable by any logged-in user. Network access is required (AV:N) but attacks can originate remotely. The attack complexity is low (AC:L) because no special conditions or race conditions must be triggered. Subscribers—often the least-privileged user tier—are sufficient to execute the attack. The vulnerability is unauthenticated in the practical sense that it requires only baseline login privileges, making it attractive to attackers who have compromised a low-privilege account or who operate on shared WordPress environments.

Remediation

Update Poll Maker to a patched version released after 6.3.7. Verify the exact patch version number against the plugin's official release notes or vendor advisory. As an immediate interim measure, disable the plugin or restrict user registration and access to trusted administrators only. Consider blocking the 'ays_poll_get_user_information' AJAX action at the WAF or application firewall level if available. WordPress administrators should audit user accounts for unauthorized access and monitor for signs of credential compromise.

Patch guidance

Patch your Poll Maker installation as soon as a version post-6.3.7 is released. Use the WordPress plugin dashboard to check for and apply available updates. Before patching production systems, test updates on a staging environment to ensure compatibility with other active plugins and customizations. After patching, verify the fix by confirming that the 'ays_poll_get_user_information' endpoint either no longer exposes the WP_User object or now includes proper nonce validation and capability checks. Check the vendor's advisory for any additional configuration changes or security recommendations.

Detection guidance

Monitor logs for repeated calls to the 'admin-ajax.php' endpoint with the parameter 'action=ays_poll_get_user_information', especially from low-privilege user accounts or from external IP ranges. Inspect for serialized WP_User objects in response payloads if you have HTTP logging in place. Set up alerts on user enumeration patterns—multiple AJAX calls from a single session in rapid succession targeting user data. Query WordPress user metadata for unusual access to the 'user_pass' field if your database logging supports it. Conduct regular permission audits to identify subscriber accounts that should not have login access.

Why prioritize this

Although CVSS 4.3 is moderate, prioritize this vulnerability for timely patching because it directly exposes password hashes—a foundational credential asset. Offline brute-force attacks against bcrypt hashes are computationally feasible with modern hardware, especially if weak passwords are used. The low barrier to exploitation (any subscriber can trigger it) and the lack of user interaction required elevate practical risk. Sites with guest or contractor accounts should patch urgently, as credential compromise at any privilege level can enable persistence or lateral movement. However, this is not an emergency patch if your user access controls are strictly managed.

Risk score, explained

CVSS 4.3 reflects a low confidentiality impact (C:L) with no integrity or availability loss. The score accounts for the requirement of prior authentication (PR:L) and a network-accessible vector (AV:N). The moderate severity balances the sensitivity of exposed data (password hashes, emails) against the limited scope (user's own account and profile data, not system-wide secrets). The actual business risk may exceed the numeric score if your organization has a large user base, relies on weak password policies, or operates in a regulated industry. Use this score as a floor for risk assessment, not a ceiling.

Frequently asked questions

Can this vulnerability expose other users' password hashes or just my own?

The description specifies that authenticated attackers can retrieve complete WP_User objects, and the endpoint serializes all user information accessible to the calling user. In typical WordPress setups, this means subscribers see their own data and possibly other users' data depending on the endpoint's query scope. Verify against your plugin version and configuration—test with a subscriber account to determine exposure breadth. If the endpoint returns all users' objects, the risk is significantly higher.

Do I need to force password resets for all users if this vulnerability is exploited?

Not necessarily. The exposed data is the bcrypt hash, not the plaintext password. Bcrypt hashes are computationally expensive to crack. If your users have strong passwords (12+ characters, mixed case, numbers, symbols), the time to crack a hash is prohibitive. Force resets if you suspect active exploitation, unusual login patterns, or if users have weak passwords. Otherwise, patching and monitoring are the priority.

Is this vulnerability exploitable if our WordPress site requires two-factor authentication?

Yes. Two-factor authentication protects account login but does not prevent the AJAX endpoint from being called by an already-authenticated attacker. If an attacker gains credentials through other means (phishing, data breach), MFA does not block their access to the poll plugin's user-information endpoint. MFA is still valuable but is not a substitute for patching this vulnerability.

What should I do if I can't patch immediately?

Restrict user account creation to trusted administrators only. Disable the Poll Maker plugin if it's not actively used. Implement a Web Application Firewall rule to block requests to 'admin-ajax.php?action=ays_poll_get_user_information'. Monitor access logs for exploitation attempts. Plan a patching window within 2–4 weeks depending on your risk tolerance and user base size.

This analysis is provided for informational purposes to help security teams prioritize and respond to CVE-2026-8995. The information is accurate as of the publication date. CVSS scores, patch availability, and vendor advisories may change; verify all details against official vendor documentation and KEV catalogs before making remediation decisions. This explainer does not constitute legal or compliance advice. Organizations must conduct their own risk assessment based on their specific environment, user base, and regulatory obligations. SEC.co makes no warranty regarding the completeness or accuracy of this vulnerability analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).