The Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-13143. This vulnerability exists due to missing or insufficient nonce validation in the disconnect_account_action function, which is responsible for disconnecting the WordPress site from the Opinion Stage platform integration. Because nonce validation is either absent or inadequate, an attacker can craft a malicious request that, when executed by an authenticated site administrator (via clicking a specially crafted link), causes the site to disconnect from the Opinion Stage service without the administrator's explicit consent. The vulnerability affects all versions up to and including 19.12.0. The CVSS v3.1 base score is 4.3, indicating medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction (administrator clicking a link). The impact is limited to integrity, as the attacker cannot access confidential data or disrupt availability but can cause unauthorized changes to the site’s integration status. No known exploits have been reported in the wild, and no patches were linked at the time of disclosure. The vulnerability is classified under CWE-352, which covers CSRF issues where state-changing actions can be triggered without proper anti-CSRF tokens or nonce validation. This vulnerability is particularly relevant for WordPress sites using this plugin, especially those with administrators who might be targeted through phishing or social engineering attacks.

For European organizations, this vulnerability poses a risk primarily to the integrity of WordPress sites using the Poll, Survey & Quiz Maker Plugin by Opinion Stage. Successful exploitation could disrupt the connection between the site and the Opinion Stage platform, potentially disabling polling, survey, and quiz functionalities that may be critical for user engagement, data collection, or customer feedback. Although the vulnerability does not directly expose sensitive data or cause denial of service, the loss of integration can impact business operations, marketing campaigns, and user experience. Organizations relying heavily on interactive content for customer insights or internal surveys may face operational setbacks. Additionally, the attack vector requires tricking an administrator, which means organizations with less mature security awareness or lacking phishing defenses are at higher risk. The medium severity score reflects the limited scope but non-negligible impact on site integrity and operational continuity.

1. Monitor for plugin updates from the vendor and apply patches promptly once available to address the nonce validation issue. 2. Until a patch is released, implement custom nonce validation or additional CSRF protections around the disconnect_account_action function, such as verifying user intent through multi-factor confirmation dialogs. 3. Educate WordPress site administrators about the risks of clicking unsolicited links, especially those that could trigger administrative actions. 4. Employ web application firewalls (WAFs) that can detect and block suspicious CSRF attempts targeting the plugin’s endpoints. 5. Restrict administrative access to trusted networks or VPNs to reduce exposure to remote CSRF attacks. 6. Regularly audit plugin usage and integration status to quickly detect unauthorized disconnections. 7. Consider disabling or limiting the use of the Opinion Stage plugin if it is not critical, or replace it with alternatives that have stronger security controls.