CVE-2026-39651
Missing Authorization in Total Poll Lite Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totalsuite | total_poll_lite | to 4.12.0 (inc) |
| totalpoll | total_poll_lite | to 4.12.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions reserved for higher-privileged roles. Such unauthorized access could potentially lead to unauthorized data access or modification.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that require strict access controls and protection of sensitive data.
Can you explain this vulnerability to me?
CVE-2026-39651 is a Broken Access Control vulnerability in the WordPress Total Poll Lite Plugin versions up to and including 4.12.0.
The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions.
This allows unprivileged users, such as contributors or developers, to perform actions that should be reserved for higher-privileged roles.
It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 6.5, indicating a moderate risk level.
How can this vulnerability impact me? :
This vulnerability allows users with lower privileges to perform actions meant for higher-privileged roles, potentially leading to unauthorized changes or access within the affected WordPress plugin.
Although the impact is considered low and exploitation unlikely, such vulnerabilities are often targeted in mass-exploit campaigns affecting many websites indiscriminately.
If exploited, it could compromise the integrity and security of your website's polling functionality.
Immediate mitigation involves updating the plugin or seeking assistance from hosting providers or web developers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions of Total Poll Lite up to version 4.12.0, allowing unprivileged users to perform privileged actions.
Detection would involve checking the version of the Total Poll Lite plugin installed on your WordPress site to see if it is version 4.12.0 or earlier.
Since the vulnerability is related to broken access control in plugin functions, you can look for unusual privilege escalations or unauthorized actions performed by lower-privileged users.
No specific commands or network detection signatures are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Total Poll Lite plugin to a version newer than 4.12.0 once an official patch is available.
If updating is not possible at the moment, users are advised to seek assistance from their hosting provider or web developer to implement temporary protective measures.
Additionally, using security services such as those offered by Patchstack can help provide rapid vulnerability mitigation and continuous security intelligence.