Description
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery leading to accidental disconnection of the Opinion Stage integration
Action: Patch Immediately
AI Analysis

Impact

The Vulnerable Plugin suffers from missing or insufficient nonce validation in the disconnect_account_action function, enabling an unauthenticated attacker to forge a request that, when a site administrator inadvertently clicks it, disconnects the site from the Opinion Stage platform. This denial of integration can render polls, surveys, and quizzes nonfunctional until re‑added, potentially disrupting user engagement and data collection. The weakness is a classic CSRF scenario (CWE-352).

Affected Systems

WordPress sites using the Quiz, Poll & Survey Maker plugin by Opinion Stage with versions 19.12.0 and earlier are affected. The plugin integrates with the Opinion Stage platform and is installed as a standard WordPress plugin.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, while the EPSS score of less than 1% signals a very low probability of exploitation at present. The vulnerability is not listed in CISA KEV, and no known active exploits have been reported. The likely attack vector is a malicious link or email that tricks a site administrator into visiting a crafted URL while logged into WordPress, thereby submitting a forged disconnect request.

Generated by OpenCVE AI on April 27, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest available version, which includes nonce validation for account disconnection requests.
  • Re‑authorize the Opinion Stage integration after updating to ensure a new, secure connection token is in place.
  • Instruct site administrators to verify the legitimacy of any link that requests a site action and to use an email filter or authentication method that blocks arbitrary link clicking from unknown sources.

Generated by OpenCVE AI on April 27, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.12.0 - Cross-Site Request Forgery to Account Disconnection
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:48.319Z

Reserved: 2025-11-13T18:59:20.736Z

Link: CVE-2025-13143

cve-icon Vulnrichment

Updated: 2025-11-28T16:08:30.303Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T06:15:46.657

Modified: 2026-06-17T08:33:34.143

Link: CVE-2025-13143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:00:13Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)