Description
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
Published: 2025-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Modify Plugin Settings
Action: Update Plugin
AI Analysis

Impact

The Poll, Survey & Quiz Maker Plugin contains a misconfigured capability check that allows any authenticated user with Contributor or higher privileges to alter plugin settings. Such users can change the e‑mail address used for the account connection or disconnect the plugin entirely, causing previously created content to remain visible but potentially breaking the plugin’s integration with external services. This represents an unauthorized modification of data, compromising the integrity of the plugin configuration and disrupting its intended functionality, and is classified as a CWE-863 vulnerability.

Affected Systems

The vulnerability affects the WordPress plugin Poll, Survey & Quiz Maker by Opinion Stage (also sold as Quiz, Poll & Survey Maker by Opinion Stage). All releases up through version 19.9.0 are affected. Any WordPress site running this plugin within the specified version range is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% shows that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale exploits have been observed. Attackers must first authenticate with Contributor-level or higher privileges, making this a local, authenticated threat rather than a remote exploitation vector.

Generated by OpenCVE AI on April 22, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress plugin to the latest version to eliminate the capability check flaw.
  • If an upgrade cannot be performed immediately, reduce or remove Contributor‑level permissions from users who need not manage plugin settings, and consider disabling the plugin’s settings interface for remaining roles.
  • Inspect the plugin configuration to confirm that the account connection e‑mail remains correct and that the plugin has not been inadvertently disconnected.

Generated by OpenCVE AI on April 22, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18491 The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
History

Wed, 09 Jul 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Opinionstage
Opinionstage poll\, Survey \& Quiz Maker
CPEs cpe:2.3:a:opinionstage:poll\,_survey_\&_quiz_maker:*:*:*:*:*:wordpress:*:*
Vendors & Products Opinionstage
Opinionstage poll\, Survey \& Quiz Maker

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
Title Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.9.0 - Incorrect Authorization to Authenticated (Contributor+) Plugin Settings Update
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Opinionstage Poll\, Survey \& Quiz Maker
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:16.170Z

Reserved: 2025-04-22T19:41:16.892Z

Link: CVE-2025-3880

cve-icon Vulnrichment

Updated: 2025-06-17T14:03:44.256Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-17T12:15:25.870

Modified: 2025-07-09T19:25:53.077

Link: CVE-2025-3880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses