Multiple SQL injection in wordpress poll

[marcelinha26]

I have found multiple sql injection vulnerabilities in the file CWPPoll.js file to be more specific viewPollResults and userlogs functions. The problem resides in pollid parameter which is not sanitised. Thus, via an ajax call from a script I can inject sql code like that

POC

/wp-admin/admin-ajax.php/?poll_id=2or 1=1&action=view_poll_result

/wp-admin/admin-ajax.php/?poll_id=2or 1=1&action=view_poll_logs

Besides I have found several functions which could be used by an attacker in order to destroy poll information:

function editAnswer(answerid, poll_id)
function deleteAnswer(answerid, poll_id)
function addAnswer(polls_id)
function deletePoll()

The attacker just has to call these functions and send them any number and the results can be catastrophic.