CVE-2026-8995: Poll Maker Information Disclosure Flaw

CVE-2026-8995 Overview

CVE-2026-8995 is a sensitive information exposure vulnerability in the Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress. The flaw affects all versions up to and including 6.3.7. The plugin's ays_poll_get_user_information AJAX action serializes and returns the complete WP_User object to any authenticated requester. Returned data includes the bcrypt user_pass hash, user_email, user_login, user_registered timestamp, roles, and capabilities. The endpoint lacks nonce verification and enforces only an is_user_logged_in() check, so subscriber-level accounts can extract account secrets. WordPress does not expose password hashes through any standard interface, making the leak useful for offline cracking.

Critical Impact

Authenticated attackers with subscriber-level access can retrieve their own bcrypt password hash and account metadata, enabling offline password-cracking attacks against WordPress credentials.

Affected Products

• Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress (versions ≤ 6.3.7)
• Vulnerable code paths identified in class-poll-maker-ays.php and class-poll-maker-ays-public.php
• Fixed in plugin version 6.3.8

Discovery Timeline

• 2026-05-29 - CVE-2026-8995 published to NVD
• 2026-05-29 - Last updated in NVD database

Technical Details for CVE-2026-8995

Vulnerability Analysis

The vulnerability is classified as Sensitive Information Exposure [CWE-200]. The Poll Maker plugin registers an AJAX action named ays_poll_get_user_information that returns user profile data for the currently authenticated requester. The handler performs only an is_user_logged_in() gate before fetching the user object and serializing it back to the client. Because WordPress's WP_User object includes the underlying data property — which contains every column from the wp_users table — the response leaks user_pass, user_email, user_login, and user_registered alongside roles and capabilities. The bcrypt hash returned from user_pass is the same value WordPress uses for password validation and is normally never exposed through REST, XML-RPC, or admin AJAX endpoints.

Root Cause

The root cause is a combination of two access-control failures. First, the handler does not call check_ajax_referer() or any equivalent nonce verification, removing CSRF protection. Second, the authorization check is limited to confirming the requester is logged in — no current_user_can() capability check restricts the call to administrators or to the specific user whose data is being read. The handler then returns the entire WP_User object via wp_send_json() without filtering sensitive fields, exposing data the WordPress core deliberately withholds from standard APIs.

Attack Vector

Exploitation requires a valid WordPress account with subscriber privileges or higher — the default role assigned by open-registration sites. An attacker authenticates, then issues an AJAX POST request to /wp-admin/admin-ajax.php with action=ays_poll_get_user_information. The plugin responds with the JSON-serialized WP_User object containing the bcrypt password hash and email address. The attacker can then run offline cracking tools such as hashcat against the recovered hash. If a weak password is recovered, the attacker can attempt credential reuse against the same site at higher privilege levels or against external services sharing the email address.

No proof-of-concept code is published. See the Wordfence Vulnerability Report and the affected source at class-poll-maker-ays-public.php (6.3.7) for technical detail.

Detection Methods for CVE-2026-8995

Indicators of Compromise

• POST requests to /wp-admin/admin-ajax.php containing the parameter action=ays_poll_get_user_information from subscriber or low-privilege sessions.
• HTTP responses from admin-ajax.php that are unusually large for a poll plugin and include serialized fields such as user_pass, user_email, or user_registered.
• Repeated calls to the same AJAX action from a single authenticated session, suggesting enumeration or scripted extraction.

Detection Strategies

• Inspect web server access logs for the ays_poll_get_user_information action string and correlate with the requesting user ID.
• Deploy a Web Application Firewall (WAF) rule that flags responses from admin-ajax.php containing user_pass or bcrypt hash patterns matching \$2y\$ or \$P\$.
• Audit installed plugin versions across WordPress fleets to identify Poll Maker installations at or below 6.3.7.

Monitoring Recommendations

• Forward WordPress access logs and PHP error logs to a centralized SIEM for query against the vulnerable action name.
• Alert on new low-privilege account registrations followed shortly by AJAX activity against poll plugin endpoints.
• Monitor outbound traffic from web servers for unexpected exfiltration of user-table content.

How to Mitigate CVE-2026-8995

Immediate Actions Required

• Update the Poll Maker plugin to version 6.3.8 or later, which contains the access-control fix in class-poll-maker-ays-public.php.
• Force a password reset for all WordPress users on affected sites, particularly administrators and editors.
• Review user registrations created during the exposure window and disable any unrecognized subscriber accounts.

Patch Information

The vendor has released Poll Maker 6.3.8 to address CVE-2026-8995. The patched handler at class-poll-maker-ays-public.php#L2959 (6.3.8) restricts the data returned by the ays_poll_get_user_information action. Site operators should apply the update through the WordPress plugin dashboard or by deploying the 6.3.8 release manually. Refer to the Wordfence Vulnerability Report for vendor remediation detail.

Workarounds

• If patching is not immediately possible, deactivate the Poll Maker plugin until the update can be applied.
• Restrict access to /wp-admin/admin-ajax.php for the ays_poll_get_user_information action through a WAF rule that blocks the action parameter.
• Disable open user registration via the WordPress General Settings to remove the easiest path to a subscriber-level account.
• Enforce strong password policies and multi-factor authentication so that recovered hashes resist offline cracking.

# Example WAF rule (ModSecurity) to block exploitation of the vulnerable action
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
    "chain,phase:2,deny,status:403,id:1026899501,\
    msg:'Block CVE-2026-8995 Poll Maker user-info disclosure'"
    SecRule ARGS:action "@streq ays_poll_get_user_information"