The Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress suffers from an authorization bypass vulnerability identified as CVE-2025-3880, classified under CWE-863 (Incorrect Authorization). This vulnerability arises from improper capability checks on several plugin functions, allowing users with Contributor-level privileges or higher to perform unauthorized modifications. Specifically, attackers can change the email address associated with the plugin's account connection and disconnect the plugin from the linked account. This flaw affects all versions up to and including 19.9.0. The vulnerability does not allow direct content modification or deletion, and existing polls, surveys, and quizzes remain operational even if the plugin is disconnected. The CVSS 3.1 base score is 4.3 (medium), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and limited impact on integrity without affecting confidentiality or availability. No public exploits have been reported yet. The root cause is a misconfigured capability check, meaning the plugin fails to properly verify if the authenticated user has sufficient permissions before allowing sensitive configuration changes. This can lead to unauthorized administrative actions by lower-privileged users, potentially disrupting plugin functionality or causing administrative confusion.

The primary impact of CVE-2025-3880 is unauthorized modification of plugin configuration by users with Contributor-level access or higher. This can lead to the disconnection of the plugin from its associated account, potentially disrupting data synchronization, analytics, or integration features dependent on the plugin's connection. Although existing content remains accessible and functional, unauthorized changes could cause operational disruptions or loss of administrative control over plugin settings. In environments where Contributor roles are assigned to multiple users, this vulnerability increases the risk of insider threats or compromised accounts being leveraged to alter plugin behavior. While the vulnerability does not directly expose sensitive data or allow content tampering, it undermines the integrity of plugin management and could indirectly affect organizational workflows relying on the plugin's data collection and reporting. Organizations with high reliance on Opinion Stage's plugin for user engagement or data collection may experience degraded service quality or require manual intervention to restore proper plugin connectivity.

To mitigate CVE-2025-3880, organizations should immediately update the Poll, Survey & Quiz Maker Plugin by Opinion Stage to a patched version once available from the vendor. In the absence of an official patch, administrators should restrict Contributor-level access and above to trusted users only, minimizing the risk of unauthorized configuration changes. Implement role hardening by reviewing and limiting permissions assigned to Contributor roles, or temporarily elevate users only when necessary. Monitor plugin configuration changes and audit user actions related to plugin settings to detect unauthorized modifications promptly. Consider disabling or removing the plugin if it is not critical to operations until a fix is applied. Additionally, organizations can implement compensating controls such as web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting plugin configuration endpoints. Regular backups of WordPress configurations and plugin settings can facilitate recovery if unauthorized changes occur. Finally, maintain awareness of vendor communications for patch releases or further advisories.