{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39651", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:35.156Z", "dateUpdated": "2026-04-08T08:30:35.156Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "totalpoll-lite", "product": "Total Poll Lite", "vendor": "TotalSuite", "versions": [{"lessThanOrEqual": "4.12.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:39.245Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Total Poll Lite: from n/a through <= 4.12.0.</p>"}], "value": "Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:35.156Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/totalpoll-lite/vulnerability/wordpress-total-poll-lite-plugin-4-12-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Total Poll Lite plugin <= 4.12.0 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0."}], "id": "CVE-2026-39651", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:36.193", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/totalpoll-lite/vulnerability/wordpress-total-poll-lite-plugin-4-12-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.12.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Total Poll Lite", "source": "cna", "vendor": "TotalSuite"}, "product": "total_poll_lite", "vendor": "totalsuite"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:05:34.386332+00:00", "value": {"mitigation_remediation": ["Update Total Poll Lite to a version newer than 4.12.0 or remove the plugin if it is no longer needed."], "summary": {"action": "Patch Now", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress Total Poll Lite plugin from TotalSuite. Every release up to and including version 4.12.0 is impacted, regardless of the exact subversion number.", "description_and_impact": "The vulnerability is a missing authorization flaw that permits users to exploit incorrectly configured access control levels within the Total Poll Lite WordPress plugin. This can allow an attacker to read, modify, or delete poll data, inject content, or otherwise perform actions that the plugin should restrict to privileged users. The weakness is classified under CWE-862, representing unauthorized access to protected resources.", "risk_and_exploitability": "Because the flaw allows bypassing authorization checks, attacker exploitation is straightforward through crafted web requests to the plugin\u2019s administrative endpoints. No exploit probability score is available, and the vulnerability is not listed in the KEV catalog, but the lack of a required privileged state suggests a moderate to high likelihood of exploitation in environments where the plugin is active and accessible."}}}}, "created": "2026-04-08T19:28:20.642496+00:00", "updated": "2026-04-08T19:41:24.681660+00:00", "vendors": ["totalsuite", "totalsuite$PRODUCT$total_poll_lite", "wordpress", "wordpress$PRODUCT$wordpress"]}