Skip to main content

CVE-2025-3880: CWE-863 Incorrect Authorization in assafp Poll, Survey & Quiz Maker Plugin by Opinion Stage

Medium
VulnerabilityCVE-2025-3880cvecve-2025-3880cwe-863
Published: Tue Jun 17 2025 (06/17/2025, 11:23:36 UTC)
Source: CVE Database V5
Vendor/Project: assafp
Product: Poll, Survey & Quiz Maker Plugin by Opinion Stage

Description

The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.

AI-Powered Analysis

AILast updated: 07/14/2025, 20:47:56 UTC

Technical Analysis

CVE-2025-3880 is a security vulnerability identified in the Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress, affecting all versions up to and including 19.9.0. The vulnerability arises from an incorrect authorization check (CWE-863) in several plugin functions, allowing authenticated users with Contributor-level privileges or higher to modify sensitive plugin settings without proper permission validation. Specifically, these attackers can change the email address associated with the plugin's account connection and disconnect the plugin from its backend service. Although previously created content remains visible and functional after disconnection, unauthorized modification of account connection details can disrupt plugin operations and potentially facilitate further unauthorized actions or social engineering attacks. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited impact on confidentiality and availability but a notable integrity impact due to unauthorized changes. No known exploits are currently reported in the wild, and no official patches have been linked yet. The flaw stems from misconfigured capability checks that fail to restrict sensitive actions to appropriate user roles, exposing the plugin to privilege escalation within authenticated users.

Potential Impact

For European organizations using WordPress sites with the vulnerable Opinion Stage plugin, this vulnerability poses a moderate risk. Unauthorized contributors or editors could alter plugin account settings, potentially disrupting survey and poll data collection or causing denial of service by disconnecting the plugin. While existing content remains accessible, the integrity of plugin configuration is compromised, which could affect data accuracy and trustworthiness. Organizations relying on these plugins for customer feedback, market research, or internal surveys may experience operational disruptions or data manipulation risks. Additionally, attackers might leverage this unauthorized access to conduct further attacks, such as phishing via changed email addresses or lateral movement within the WordPress environment. Given the widespread use of WordPress in Europe across various sectors, including SMEs, media, and public institutions, the vulnerability could impact a broad range of organizations if not mitigated promptly.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should first identify if they use the Poll, Survey & Quiz Maker Plugin by Opinion Stage on their WordPress sites. Immediate steps include restricting Contributor-level access and above to trusted users only, as these roles can exploit the vulnerability. Administrators should audit user roles and permissions to ensure minimal privilege principles are enforced. Until an official patch is released, consider temporarily disabling the plugin or replacing it with alternative survey tools that do not have this vulnerability. Monitoring WordPress logs for unusual changes to plugin settings or account connection details can help detect exploitation attempts. Organizations should also maintain regular backups of WordPress configurations and content to enable quick recovery if unauthorized changes occur. Once a patch becomes available, prompt application is critical. Additionally, implementing web application firewalls (WAFs) with rules to detect and block unauthorized modification attempts targeting plugin endpoints can provide an additional layer of defense.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-04-22T19:41:16.892Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685152c6a8c921274385a0b0

Added to database: 6/17/2025, 11:34:30 AM

Last enriched: 7/14/2025, 8:47:56 PM

Last updated: 8/5/2025, 6:28:45 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats