CVE-2025-3880 is a security vulnerability identified in the Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress, affecting all versions up to and including 19.9.0. The vulnerability arises from an incorrect authorization check (CWE-863) in several plugin functions, allowing authenticated users with Contributor-level privileges or higher to modify sensitive plugin settings without proper permission validation. Specifically, these attackers can change the email address associated with the plugin's account connection and disconnect the plugin from its backend service. Although previously created content remains visible and functional after disconnection, unauthorized modification of account connection details can disrupt plugin operations and potentially facilitate further unauthorized actions or social engineering attacks. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited impact on confidentiality and availability but a notable integrity impact due to unauthorized changes. No known exploits are currently reported in the wild, and no official patches have been linked yet. The flaw stems from misconfigured capability checks that fail to restrict sensitive actions to appropriate user roles, exposing the plugin to privilege escalation within authenticated users.

For European organizations using WordPress sites with the vulnerable Opinion Stage plugin, this vulnerability poses a moderate risk. Unauthorized contributors or editors could alter plugin account settings, potentially disrupting survey and poll data collection or causing denial of service by disconnecting the plugin. While existing content remains accessible, the integrity of plugin configuration is compromised, which could affect data accuracy and trustworthiness. Organizations relying on these plugins for customer feedback, market research, or internal surveys may experience operational disruptions or data manipulation risks. Additionally, attackers might leverage this unauthorized access to conduct further attacks, such as phishing via changed email addresses or lateral movement within the WordPress environment. Given the widespread use of WordPress in Europe across various sectors, including SMEs, media, and public institutions, the vulnerability could impact a broad range of organizations if not mitigated promptly.

To mitigate this vulnerability, European organizations should first identify if they use the Poll, Survey & Quiz Maker Plugin by Opinion Stage on their WordPress sites. Immediate steps include restricting Contributor-level access and above to trusted users only, as these roles can exploit the vulnerability. Administrators should audit user roles and permissions to ensure minimal privilege principles are enforced. Until an official patch is released, consider temporarily disabling the plugin or replacing it with alternative survey tools that do not have this vulnerability. Monitoring WordPress logs for unusual changes to plugin settings or account connection details can help detect exploitation attempts. Organizations should also maintain regular backups of WordPress configurations and content to enable quick recovery if unauthorized changes occur. Once a patch becomes available, prompt application is critical. Additionally, implementing web application firewalls (WAFs) with rules to detect and block unauthorized modification attempts targeting plugin endpoints can provide an additional layer of defense.