Cyber Resilience

CVE-2025-26971

High

Published: 25 February 2025

Published
25 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0008 23.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26971 is a high-severity SQL Injection (CWE-89) vulnerability in Ays-Pro Poll Maker. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-26971 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the Ays Pro Poll Maker WordPress plugin, also referred to as poll-maker. This flaw affects Poll Maker versions from n/a through 5.6.5 and is classified under CWE-89.

The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating network accessibility, low attack complexity, requirement for high privileges, no user interaction, changed scope, high confidentiality impact, no integrity impact, and low availability impact. High-privilege users, such as authenticated administrators, can exploit it remotely to achieve data extraction from the underlying database through blind SQL injection techniques.

Patchstack advisories detail this SQL injection vulnerability in WordPress Poll Maker 5.6.5 and provide guidance on mitigation, available at https://patchstack.com/database/Wordpress/Plugin/poll-maker/vulnerability/wordpress-poll-maker-5-6-5-sql-injection-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Poll Maker poll-maker allows Blind SQL Injection.This issue affects Poll Maker: from n/a through <= 5.6.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection vulnerability in public-facing WordPress plugin enables remote exploitation for database data extraction by high-privilege users.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-10628Same vendor: Ays-Pro
CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89

Affected Assets

ays-pro
poll maker
≤ 5.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates blind SQL injection by requiring validation of all user inputs before they are used in SQL commands within the Poll Maker plugin.

prevent

Ensures timely remediation of the specific SQL injection flaw in Poll Maker versions through <=5.6.5 by identifying, prioritizing, and patching vulnerabilities.

detect

Facilitates early detection of the blind SQL injection vulnerability in the WordPress plugin via automated vulnerability scanning of web applications.

References