Platform
php
Component
amazing-little-poll
Fixed in
1.3.1
1.4.1
CVE-2023-6768 represents a critical authentication bypass vulnerability affecting Amazing Little Poll versions 1.3 and 1.4. This flaw allows unauthorized users to gain access to the administrative panel without providing any credentials, effectively bypassing the intended security measures. The vulnerability is triggered by manipulating the lp_admin.php?adminstep= parameter. A patch is available in version 1.4.1.
The impact of this vulnerability is severe. An attacker can leverage it to completely compromise the poll system's administrative interface. This grants them full control over the poll's configuration, data, and potentially the underlying server if the poll has elevated privileges. Attackers could modify poll questions, results, user accounts, and even inject malicious code. The blast radius extends to all users who interact with the poll, as their data and privacy are at risk. This vulnerability is particularly concerning given the potential for widespread use of the plugin in various online platforms.
CVE-2023-6768 was publicly disclosed on December 20, 2023. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target. No public proof-of-concept code has been released, but the vulnerability is relatively straightforward to exploit. It is currently not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (21% percentile)
CVSS Vector
The primary mitigation is to immediately upgrade Amazing Little Poll to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the lpadmin.php file using your web server's configuration (e.g., .htaccess for Apache). This can be achieved by denying access to the file for all but authorized users. Monitor access logs for suspicious requests targeting lpadmin.php with unusual parameters. After upgrading, confirm the vulnerability is resolved by attempting to access the admin panel without authentication.
Update to a patched version or disable the plugin if no version is available. Restrict access to the lp_admin.php file using web server configuration (e.g., .htaccess on Apache) to prevent unauthorized access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-6768 is a critical vulnerability in Amazing Little Poll versions 1.3 and 1.4 that allows unauthenticated users to access the admin panel by manipulating the lp_admin.php?adminstep= parameter.
You are affected if you are using Amazing Little Poll versions 1.3 or 1.4. Upgrade to version 1.4.1 or later to mitigate the risk.
Upgrade Amazing Little Poll to version 1.4.1 or later. As a temporary workaround, restrict access to lp_admin.php using your web server configuration.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the official Amazing Little Poll website or plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.