The YOP Poll plugin for WordPress contains a missing authorization flaw that permits users to perform actions beyond their intended permissions. This broken access control allows attackers to manipulate polls, harvest votes, or potentially alter poll content, thereby compromising the integrity of the poll data and potentially affecting the overall trust in the WordPress site. The weakness corresponds to CWE-862, which highlights failures to enforce proper authorization checks.

WordPress sites using the YOP Poll plugin version 6.5.38 or earlier are impacted. The vulnerability applies to all supported installations of the plugin that have not applied the newer release where the access control issue is addressed.

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. Because it is not listed in CISA KEV, there have been no known active exploit campaigns targeting this flaw. The most likely attack vector involves a malicious or compromised user account that gains unintended capabilities through the plugin’s configuration interfaces. An attacker would need to exploit the missing authorization to elevate privileges within the poll management features. If successful, the attacker could change poll results or add fraudulent entries without detection.