CVE-2024-50490 Overview
CVE-2024-50490 is a Missing Authorization vulnerability affecting the PegaPoll WordPress plugin developed by lowcage. This security flaw allows attackers to access functionality that is not properly constrained by Access Control Lists (ACLs), potentially enabling arbitrary option updates that can lead to privilege escalation on affected WordPress installations.
Critical Impact
Unauthenticated or low-privileged attackers can exploit this vulnerability to modify WordPress options arbitrarily, potentially escalating their privileges to administrator level and gaining complete control over the affected website.
Affected Products
- PegaPoll WordPress Plugin version 1.0.2 and earlier
- WordPress installations with PegaPoll plugin enabled
Discovery Timeline
- 2024-10-29 - CVE-2024-50490 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2024-50490
Vulnerability Analysis
This vulnerability falls under CWE-862 (Missing Authorization), which occurs when an application fails to perform authorization checks when an actor attempts to access a resource or perform an action. In the context of PegaPoll, the plugin exposes functionality that allows modification of WordPress options without properly verifying that the requesting user has the necessary permissions to perform such operations.
The vulnerability has an exceptionally high EPSS probability score of 20.191%, placing it in the 95.5th percentile. This indicates a significantly elevated likelihood of exploitation in the wild compared to other vulnerabilities, making timely remediation essential.
Root Cause
The root cause of this vulnerability is the absence of proper capability checks and nonce verification in the PegaPoll plugin's option update functionality. WordPress plugins should implement authorization checks using functions like current_user_can() to verify user capabilities before allowing sensitive operations. The PegaPoll plugin fails to implement these checks, allowing any user—or potentially unauthenticated visitors—to invoke privileged functionality.
Attack Vector
The attack exploits the missing authorization controls in PegaPoll's option update mechanism. An attacker can craft malicious requests to the vulnerable endpoint to modify arbitrary WordPress options. This can be leveraged to:
- Change the default user role to administrator
- Enable user registration if disabled
- Modify site URLs for phishing attacks
- Alter other critical WordPress settings
By manipulating the users_can_register option and default_role setting, an attacker can register a new administrator account and gain full control of the WordPress installation.
Detection Methods for CVE-2024-50490
Indicators of Compromise
- Unexpected changes to WordPress options, particularly users_can_register and default_role
- Newly created administrator accounts that were not authorized
- Suspicious POST requests to PegaPoll plugin endpoints in access logs
- Unauthorized modifications to site settings or configurations
Detection Strategies
- Monitor WordPress wp_options table for unexpected modifications to critical settings
- Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the PegaPoll plugin
- Review access logs for POST requests to /wp-admin/admin-ajax.php with PegaPoll-related actions
- Deploy file integrity monitoring to detect unauthorized plugin or core file changes
Monitoring Recommendations
- Enable WordPress audit logging to track all option changes with user attribution
- Configure alerts for new administrator account creation
- Implement real-time monitoring of user role changes and registration setting modifications
- Deploy endpoint detection solutions that can identify post-exploitation activities
How to Mitigate CVE-2024-50490
Immediate Actions Required
- Deactivate and remove the PegaPoll plugin immediately from all WordPress installations
- Audit existing WordPress options for unauthorized modifications
- Review all user accounts for unauthorized administrator privileges
- Check and reset users_can_register and default_role options to secure values
- Implement a WAF rule to block requests to PegaPoll plugin endpoints as an interim measure
Patch Information
As of the available data, no patched version of PegaPoll has been released that addresses this vulnerability. The affected versions include all releases through version 1.0.2. Organizations should remove the plugin entirely until a security patch is made available by the developer. For additional technical details, refer to the Patchstack vulnerability analysis.
Workarounds
- Remove the PegaPoll plugin from WordPress installations until a patched version is available
- Implement server-level access controls to restrict access to plugin endpoints
- Use a WordPress security plugin with virtual patching capabilities to block exploitation attempts
- Configure web server rules to deny requests to the vulnerable plugin directory
# Apache .htaccess rule to block access to PegaPoll plugin
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-content/plugins/pegapoll/.*$ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
