CVE-2025-64370 is a vulnerability identified in the YOP Poll plugin, versions up to and including 6.5.38. The root cause is a missing authorization mechanism that leads to incorrect access control enforcement. This flaw allows unauthenticated remote attackers to perform actions that should be restricted, potentially modifying poll data or configurations without proper permissions. The vulnerability does not affect confidentiality or availability but compromises data integrity by permitting unauthorized changes. The CVSS 3.1 base score is 5.3, indicating medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). No known exploits have been reported in the wild, and no official patches have been released as of the publication date. The vulnerability arises from a failure to enforce access control checks on sensitive operations within the YOP Poll plugin, which is commonly used for creating and managing polls on websites. Attackers can exploit this to manipulate poll results or settings, potentially undermining trust in polling data or causing operational issues for affected websites.

For European organizations, this vulnerability poses a risk primarily to the integrity of polling data and configurations managed via YOP Poll. Organizations relying on YOP Poll for customer feedback, internal surveys, or public opinion polling could face unauthorized data manipulation, which may lead to misinformation, reputational damage, or flawed decision-making. While the vulnerability does not compromise confidentiality or availability, the integrity impact can disrupt business processes or public trust. The ease of exploitation without authentication increases the risk, especially for publicly accessible polling platforms. Given the widespread use of WordPress plugins like YOP Poll in European SMEs and public sector websites, the threat could affect a broad range of entities. However, the absence of known exploits and patches reduces immediate risk but underscores the need for proactive mitigation. The impact is more pronounced in sectors where polling data integrity is critical, such as political organizations, market research firms, and public institutions.

To mitigate CVE-2025-64370, organizations should first audit their use of the YOP Poll plugin and identify all instances and versions deployed. Immediate steps include restricting access to poll management interfaces through web application firewalls (WAFs) or IP whitelisting to limit exposure. Administrators should implement strict role-based access controls (RBAC) within their content management systems to ensure only authorized users can modify polls. Monitoring and logging all poll-related activities can help detect unauthorized access attempts. Until an official patch is released, consider disabling or replacing the YOP Poll plugin with alternative polling solutions that enforce proper authorization. Additionally, organizations should keep abreast of vendor advisories and apply patches promptly once available. Conducting penetration testing focused on access control validation for polling components can also help identify residual risks. Finally, educating site administrators about secure configuration practices will reduce the likelihood of misconfiguration leading to exploitation.