A registered user who is either a poll admin or the author of a particular poll could be tricked into visiting a page which contains an iframe or somesuch pointing to Special:UpdatePoll with the id (poll ID), poll_answer_N (where N is between 1-10 to signify for the possible 10 available answer options) and poll_image_name URL params set and the poll with the given ID would be updated as requested since the special page lacks a CSRF token check and only checks if the request was POSTed.
Likewise, Special:CreatePoll is also vulnerable to similar attack as it also fails to check for a token. All you need to spoof someone into creating a poll is a POST request with the desired values.
Ironically enough Special:AdminPoll is totally safe because currently the administrative functions are not available in "pure" PHP but rather only via the API module + JS (see also T248390: Better NoJS support)...but sadly the API module is currently vulnerable to CSRF as per @Bawolff since it doesn't check the CSRF token for its write actions (delete, updateStatus, vote).