CVE-2025-13143 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Poll, Survey & Quiz Maker Plugin by Opinion Stage, a popular WordPress plugin used to create interactive polls, surveys, and quizzes. The vulnerability exists in all versions up to and including 19.12.0 due to missing or insufficient nonce validation in the disconnect_account_action function. Nonces are security tokens used to verify that requests originate from legitimate users and not from forged sources. Without proper nonce validation, attackers can craft malicious requests that, when executed by an authenticated administrator (via clicking a link or visiting a crafted webpage), cause the site to disconnect from the Opinion Stage platform integration. This action disrupts the connection between the WordPress site and the external Opinion Stage services, potentially disabling poll and survey functionalities. The vulnerability does not require authentication by the attacker but does require user interaction from an administrator, limiting the ease of exploitation. The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with attack vector network, low attack complexity, no privileges required, user interaction required, and impact limited to integrity. No patches or exploits are currently publicly available, but the risk lies in potential disruption of service and administrative inconvenience. This vulnerability highlights the importance of nonce validation in WordPress plugin development to prevent CSRF attacks.

The primary impact of this vulnerability is the potential disruption of the integration between a WordPress site and the Opinion Stage platform, which can disable or impair poll, survey, and quiz functionalities. This can affect user engagement and data collection efforts for organizations relying on these interactive tools. While the vulnerability does not expose sensitive data or allow code execution, it compromises the integrity of the site’s connection to an external service. For organizations with high reliance on Opinion Stage for customer feedback, marketing, or data gathering, this disruption could lead to operational setbacks and loss of user trust. Additionally, repeated or targeted exploitation could cause administrative overhead and potential downtime of interactive features. Since exploitation requires an administrator to be tricked into clicking a malicious link, the threat is somewhat mitigated by user awareness but remains a risk in environments with less stringent security training or phishing defenses.

To mitigate this vulnerability, organizations should immediately update the Poll, Survey & Quiz Maker Plugin by Opinion Stage to a version that includes proper nonce validation once released by the vendor. Until a patch is available, administrators should be cautious about clicking links from untrusted sources and implement strict user awareness training focused on phishing and social engineering risks. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts targeting the disconnect_account_action endpoint can provide additional protection. Administrators should also review and restrict administrative access to trusted personnel only and consider implementing multi-factor authentication (MFA) to reduce the risk of compromised credentials facilitating exploitation. Monitoring logs for unusual disconnect actions or suspicious requests can help detect attempted exploitation. Finally, plugin developers should audit nonce usage across all sensitive actions to prevent similar vulnerabilities.