Race Condition vulnerability that I found in WordPress TotalPoll Plugin (Write Up + AI generated blog)

Howdy Readers!

A race condition vulnerability has been discovered in the popular WordPress TotalPoll plugin. The vulnerability allows attackers to generate votes for their favorite streamers by exploiting a race condition in the plugin's voting logic.

The vulnerability exists in the TotalPoll plugin's voting logic. When a user votes for a poll, the plugin calls a function to update the poll's vote count. However, the function does not properly synchronize access to the vote count, which can lead to a race condition.

A race condition occurs when two or more threads of execution try to access the same data at the same time. If the data is not properly synchronized, it can be possible for one thread to overwrite the changes made by another thread.

In the case of the TotalPoll plugin, the race condition can be exploited to generate multiple votes for a poll. This can be done by creating multiple threads that all try to vote for the same poll at the same time.

The vulnerability is particularly concerning because it can be used to manipulate the results of polls. For example, a streamer could use the vulnerability to generate votes for themselves in order to win a poll.

The TotalPoll plugin has been updated to fix the vulnerability. However, users who are running an older version of the plugin are still vulnerable.

To protect yourself from this vulnerability, you should update the TotalPoll plugin to the latest version. You can also disable the plugin if you do not need it.

Here are some additional tips for protecting yourself from race condition vulnerabilities:

• Use a web application firewall (WAF) to block malicious traffic.
• Keep your software up to date.

--Tools--

• BurpSuite

--Proof of Concept--

Found this vulnerability 2 years ago while watching a stream on Twitch, The streamer announced she was nominated for a contest. So I checked the contest link and discovered the vulnerability after around 20-30 minutes of inspecting some of the website's features.

--Report Timeline--

Reported: May 12, 2021

First Response: May 12, 2021 (I'll need to check this with the team so we can decide whether we add "rate limitation" feature to the upcoming versions or not)

After reporting the issue, I didn't receive any updates from them.

I hope you find this article interesting and useful.

“Learn as if you will live forever, live like you will die tomorrow.”

— Mahatma Gandhi