Imechapishwa: Mar 27, 2026 10:40
Advisory No: TZCERT-SA-26-0135
Source: CVE Database / TheHackerWire
Software Affected: TotalSuite Total Poll Lite WordPress plugin, versions up to and including 4.12.0
A critical Improper Control of Generation of Code (Code Injection) vulnerability (CVE-2026-27044) has been identified in TotalSuite Total Poll Lite, a WordPress polling plugin. Published on March 25, 2026, this vulnerability carries a CVSS score of 9.9 and allows for Remote Code Inclusion, enabling an attacker to inject and execute arbitrary code within the application's environment without authentication.
CVE-2026-27044 is a critical Code Injection vulnerability (CVSS score 9.9) affecting Total Poll Lite versions up to and including 4.12.0. The vulnerability is classified as Improper Control of Generation of Code leading to Remote Code Inclusion. The application fails to adequately sanitize or validate user-supplied input before incorporating it into code that is subsequently executed. This allows an attacker to inject a malicious payload — such as a remote URL or local file path — that the vulnerable plugin then fetches and executes within its own environment. Exploitation appears to be remotely possible without authentication, as indicated by the critical CVSS score, meaning any remote attacker can craft malicious input targeting this plugin's processing logic to achieve arbitrary code execution.
Successful exploitation of this critical vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the WordPress server, which may result in complete site takeover, data theft, persistent backdoor installation, or use of the server as a platform for further attacks.
Users are advised to update Total Poll Lite to the latest available version immediately. If no patch is available, disable the plugin until a fix is released. Implement WAF rules to block suspicious inputs targeting the plugin and monitor for exploitation attempts.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
