CVE-2016-20062 Overview
CVE-2016-20062 is a SQL injection vulnerability in the Simply Poll 1.4.1 plugin for WordPress. The flaw resides in the spAjaxResults AJAX action handler, which fails to sanitize the pollid POST parameter before passing it into a database query. Unauthenticated remote attackers can send crafted requests to admin-ajax.php and inject arbitrary SQL statements. Successful exploitation allows attackers to read sensitive information from the WordPress database, including user records, password hashes, and session tokens. The weakness is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Unauthenticated attackers can extract arbitrary data from the WordPress database, including administrative credentials, by issuing a single HTTP POST request to admin-ajax.php.
Affected Products
- Simply Poll plugin for WordPress, version 1.4.1
- WordPress installations with the Simply Poll plugin activated
- Any site exposing admin-ajax.php with the spAjaxResults action handler
Discovery Timeline
- 2026-06-09 - CVE-2016-20062 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2016-20062
Vulnerability Analysis
The Simply Poll plugin registers an AJAX endpoint named spAjaxResults that returns poll results for a given poll identifier. The handler reads the pollid value directly from the POST body and concatenates it into a SQL query without prepared statements or input validation. Because WordPress exposes admin-ajax.php to unauthenticated visitors when the action is registered with wp_ajax_nopriv_, attackers do not require an account on the target site. The vulnerability falls under CWE-89, classic SQL injection through an unsanitized user-controlled parameter.
Root Cause
The root cause is the absence of parameterized queries and input casting in the spAjaxResults handler. The pollid parameter is treated as a trusted integer but is interpolated into the SQL statement as raw user input. WordPress provides $wpdb->prepare() and helpers such as intval() and absint(), but the plugin code bypasses these defenses entirely.
Attack Vector
The attack is delivered over the network through a standard HTTP POST request. An attacker submits a request to /wp-admin/admin-ajax.php with action=spAjaxResults and a malicious pollid payload containing a UNION SELECT clause or a time-based blind injection payload. The response, or the response timing, reveals data from arbitrary tables such as wp_users. Public exploitation details are documented in Exploit-DB entry 40971 and the VulnCheck advisory.
No verified proof-of-concept code is reproduced here. The vulnerability mechanism is straightforward: the unsanitized pollid value is concatenated into a SQL WHERE clause, allowing union-based and boolean-based injection techniques against the WordPress database.
Detection Methods for CVE-2016-20062
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=spAjaxResults combined with SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA in the pollid parameter
- Anomalous outbound database errors logged by wp-db.php referencing the simply_poll tables
- Unexpected reads against the wp_users table originating from web worker processes
- Web server access logs showing repeated spAjaxResults requests from a single source within a short window
Detection Strategies
- Deploy web application firewall rules that inspect the pollid POST parameter and block non-numeric values
- Monitor for the spAjaxResults action being invoked by unauthenticated sessions at abnormal volumes
- Correlate WordPress debug logs with database query logs to identify malformed SQL originating from the Simply Poll plugin
Monitoring Recommendations
- Enable MySQL general query logging temporarily on at-risk WordPress hosts to capture injection attempts
- Forward Apache or NGINX access logs to a SIEM and alert on admin-ajax.php requests carrying SQL metacharacters
- Track failed login activity following suspicious spAjaxResults traffic, as attackers commonly exfiltrate hashes and then attempt authentication
How to Mitigate CVE-2016-20062
Immediate Actions Required
- Deactivate and remove the Simply Poll 1.4.1 plugin from all WordPress installations
- Replace the plugin with an actively maintained polling solution that uses prepared statements
- Rotate WordPress administrator passwords and invalidate active sessions if exploitation is suspected
- Audit the wp_users and wp_usermeta tables for unauthorized accounts or modified capabilities
Patch Information
No official vendor patch is referenced in the advisory. The Simply Poll plugin is no longer actively maintained on the WordPress plugin directory. Administrators should treat removal as the remediation path. Additional context is available in the VulnCheck advisory.
Workarounds
- Block all POST requests to admin-ajax.php where action=spAjaxResults at the web application firewall layer until the plugin is removed
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where feasible
- Enforce a strict allowlist on the pollid parameter, accepting only numeric values, using a WAF rule or reverse proxy filter
# Example NGINX configuration to block the vulnerable AJAX action
location = /wp-admin/admin-ajax.php {
if ($request_method = POST) {
if ($request_body ~* "action=spAjaxResults") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
