This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: PegaPoll plugin has a **Missing Authorization** flaw. π **Consequences**: Attackers can modify arbitrary site options, leading to **Privilege Escalation** and full site takeover. π₯
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-862** (Missing Authorization). π **Flaw**: The plugin lacks a capability check, allowing unauthenticated users to execute administrative actions. π
π **Attacker Actions**: Update arbitrary options. π **Specific Risk**: Change default registration role to **Administrator**. π **Result**: Gain full admin access via user registration. πͺ
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: **LOW**. π« **Auth**: **Unauthenticated** (No login needed). π **Config**: Network accessible (AV:N). β‘ Easy to exploit.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploit**: **Yes**. π **PoC**: Available on GitHub (RandomRobbieBF). π **Status**: Publicly known. π¨ Wild exploitation risk is high.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for **PegaPoll** plugin version. π **Verify**: Check if version is **β€ 1.0.2**. π οΈ **Tool**: Use vulnerability scanners or manual version check in WP admin. π
Q8Is it fixed officially? (Patch/Mitigation)
π‘οΈ **Fix**: Update PegaPoll plugin to a version **> 1.0.2**. π **Action**: Check vendor for patched release. π₯ Apply immediately if available. β
Q9What if no patch? (Workaround)
π§ **Workaround**: **Disable** the PegaPoll plugin if not needed. π« **Block**: Restrict access to plugin endpoints via WAF. π Prevent unauthorized option updates. π
Q10Is it urgent? (Priority Suggestion)
π₯ **Priority**: **CRITICAL**. π¨ **CVSS**: **9.1** (High). β‘ **Urgency**: Patch immediately. πββοΈ Risk of full site compromise is immediate and severe. π¨