CVE-2025-3880: CWE-863 Incorrect Authorization in assafp Poll, Survey & Quiz Maker Plugin by Opinion Stage
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
AI Analysis
Technical Summary
CVE-2025-3880 is a security vulnerability identified in the Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress, affecting all versions up to and including 19.9.0. The vulnerability arises from an incorrect authorization check (CWE-863) in several plugin functions, allowing authenticated users with Contributor-level privileges or higher to modify sensitive plugin settings without proper permission validation. Specifically, these attackers can change the email address associated with the plugin's account connection and disconnect the plugin from its backend service. Although previously created content remains visible and functional after disconnection, unauthorized modification of account connection details can disrupt plugin operations and potentially facilitate further unauthorized actions or social engineering attacks. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited impact on confidentiality and availability but a notable integrity impact due to unauthorized changes. No known exploits are currently reported in the wild, and no official patches have been linked yet. The flaw stems from misconfigured capability checks that fail to restrict sensitive actions to appropriate user roles, exposing the plugin to privilege escalation within authenticated users.
Potential Impact
For European organizations using WordPress sites with the vulnerable Opinion Stage plugin, this vulnerability poses a moderate risk. Unauthorized contributors or editors could alter plugin account settings, potentially disrupting survey and poll data collection or causing denial of service by disconnecting the plugin. While existing content remains accessible, the integrity of plugin configuration is compromised, which could affect data accuracy and trustworthiness. Organizations relying on these plugins for customer feedback, market research, or internal surveys may experience operational disruptions or data manipulation risks. Additionally, attackers might leverage this unauthorized access to conduct further attacks, such as phishing via changed email addresses or lateral movement within the WordPress environment. Given the widespread use of WordPress in Europe across various sectors, including SMEs, media, and public institutions, the vulnerability could impact a broad range of organizations if not mitigated promptly.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should first identify if they use the Poll, Survey & Quiz Maker Plugin by Opinion Stage on their WordPress sites. Immediate steps include restricting Contributor-level access and above to trusted users only, as these roles can exploit the vulnerability. Administrators should audit user roles and permissions to ensure minimal privilege principles are enforced. Until an official patch is released, consider temporarily disabling the plugin or replacing it with alternative survey tools that do not have this vulnerability. Monitoring WordPress logs for unusual changes to plugin settings or account connection details can help detect exploitation attempts. Organizations should also maintain regular backups of WordPress configurations and content to enable quick recovery if unauthorized changes occur. Once a patch becomes available, prompt application is critical. Additionally, implementing web application firewalls (WAFs) with rules to detect and block unauthorized modification attempts targeting plugin endpoints can provide an additional layer of defense.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
CVE-2025-3880: CWE-863 Incorrect Authorization in assafp Poll, Survey & Quiz Maker Plugin by Opinion Stage
Description
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
AI-Powered Analysis
Technical Analysis
CVE-2025-3880 is a security vulnerability identified in the Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress, affecting all versions up to and including 19.9.0. The vulnerability arises from an incorrect authorization check (CWE-863) in several plugin functions, allowing authenticated users with Contributor-level privileges or higher to modify sensitive plugin settings without proper permission validation. Specifically, these attackers can change the email address associated with the plugin's account connection and disconnect the plugin from its backend service. Although previously created content remains visible and functional after disconnection, unauthorized modification of account connection details can disrupt plugin operations and potentially facilitate further unauthorized actions or social engineering attacks. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited impact on confidentiality and availability but a notable integrity impact due to unauthorized changes. No known exploits are currently reported in the wild, and no official patches have been linked yet. The flaw stems from misconfigured capability checks that fail to restrict sensitive actions to appropriate user roles, exposing the plugin to privilege escalation within authenticated users.
Potential Impact
For European organizations using WordPress sites with the vulnerable Opinion Stage plugin, this vulnerability poses a moderate risk. Unauthorized contributors or editors could alter plugin account settings, potentially disrupting survey and poll data collection or causing denial of service by disconnecting the plugin. While existing content remains accessible, the integrity of plugin configuration is compromised, which could affect data accuracy and trustworthiness. Organizations relying on these plugins for customer feedback, market research, or internal surveys may experience operational disruptions or data manipulation risks. Additionally, attackers might leverage this unauthorized access to conduct further attacks, such as phishing via changed email addresses or lateral movement within the WordPress environment. Given the widespread use of WordPress in Europe across various sectors, including SMEs, media, and public institutions, the vulnerability could impact a broad range of organizations if not mitigated promptly.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should first identify if they use the Poll, Survey & Quiz Maker Plugin by Opinion Stage on their WordPress sites. Immediate steps include restricting Contributor-level access and above to trusted users only, as these roles can exploit the vulnerability. Administrators should audit user roles and permissions to ensure minimal privilege principles are enforced. Until an official patch is released, consider temporarily disabling the plugin or replacing it with alternative survey tools that do not have this vulnerability. Monitoring WordPress logs for unusual changes to plugin settings or account connection details can help detect exploitation attempts. Organizations should also maintain regular backups of WordPress configurations and content to enable quick recovery if unauthorized changes occur. Once a patch becomes available, prompt application is critical. Additionally, implementing web application firewalls (WAFs) with rules to detect and block unauthorized modification attempts targeting plugin endpoints can provide an additional layer of defense.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-22T19:41:16.892Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685152c6a8c921274385a0b0
Added to database: 6/17/2025, 11:34:30 AM
Last enriched: 7/14/2025, 8:47:56 PM
Last updated: 8/5/2025, 6:28:45 AM
Views: 12
Related Threats
CVE-2025-54872: CWE-798: Use of Hard-coded Credentials in Vessel9817 onion-site-template
HighCVE-2025-54884: CWE-400: Uncontrolled Resource Consumption in DavidOsipov Vision-ui
HighCVE-2025-54883: CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in DavidOsipov Vision-ui
CriticalCVE-2025-54876: CWE-522: Insufficiently Protected Credentials in JanssenProject jans
MediumCVE-2025-54869: CWE-770: Allocation of Resources Without Limits or Throttling in Setasign FPDI
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.