CVE-2025-3880
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-07-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opinionstage | poll\,_survey_\&_quiz_maker | to 19.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress allows authenticated users with Contributor-level access or higher to modify certain plugin data without proper authorization. Specifically, due to a misconfigured capability check on several functions, these users can change the email address associated with the plugin's account connection and disconnect the plugin from the account. Although previously created content remains visible and functional after disconnection, this flaw enables unauthorized modification of account connection settings, potentially disrupting plugin integration.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with Contributor-level access or above to alter the plugin's account connection email and disconnect the plugin without proper authorization. This could lead to loss of control over the plugin's integration with the Opinion Stage service, potentially disrupting data synchronization or management. While existing content remains functional, unauthorized disconnection could affect plugin features that rely on the account connection, possibly causing administrative inconvenience or loss of plugin functionality tied to the connected account.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the Poll, Survey & Quiz Maker Plugin by Opinion Stage installed on your WordPress site. Versions up to and including 19.9.0 are vulnerable. You can detect the plugin version via WordPress admin dashboard or by running commands on the server. For example, to check the plugin version via command line, you can use: `grep 'Version:' wp-content/plugins/social-polls-by-opinionstage/plugin.php` or inspect the plugin directory for version files. Additionally, monitoring for unauthorized changes to the plugin's account connection email or unexpected disconnection events may indicate exploitation attempts. There are no specific network commands provided for detecting this vulnerability. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Poll, Survey & Quiz Maker Plugin by Opinion Stage to version 19.10.0 or later, which includes security improvements such as nonce-based protection for callback URLs to prevent unauthorized modifications. Until the update is applied, restrict Contributor-level access or higher to trusted users only, as the vulnerability allows authenticated users with Contributor-level access and above to modify account connection data. Additionally, monitor and review plugin account connection settings for unauthorized changes and disconnects. [1]