CVE-2025-3880
📋 TL;DR
This vulnerability in the Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress allows authenticated attackers with Contributor-level access or higher to modify plugin settings, including disconnecting the account connection and changing the associated email address. All WordPress sites using this plugin up to version 19.9.0 are affected. While previously created content remains functional, the plugin's account management features become vulnerable to unauthorized changes.
💻 Affected Systems
- Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker disconnects the Opinion Stage account, disrupting new poll/survey creation and management, while also potentially redirect account recovery emails to attacker-controlled addresses.
Likely Case
Malicious contributors or editors disconnect the plugin account, causing administrative disruption and requiring reconnection of the Opinion Stage service.
If Mitigated
With proper user role management and monitoring, impact is limited to temporary service disruption that can be quickly remediated by administrators.
🎯 Exploit Status
Exploitation requires authenticated access with at least Contributor privileges. The vulnerability is in capability checks within admin functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.9.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3310848/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Poll, Survey & Quiz Maker Plugin by Opinion Stage'. 4. Click 'Update Now' if available, or manually update to version 19.9.1+. 5. Verify the plugin is active and functioning.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily limit Contributor and Editor access or remove unnecessary users until patch is applied.
WordPress admin: Users → All Users → Edit user roles
Disable Plugin
allDeactivate the vulnerable plugin if not critically needed, though this will disable all poll/survey functionality.
WordPress admin: Plugins → Installed Plugins → Deactivate 'Poll, Survey & Quiz Maker Plugin by Opinion Stage'
🧯 If You Can't Patch
- Remove Contributor and Editor roles from untrusted users, limiting to Administrator only for plugin management.
- Implement monitoring for unauthorized changes to plugin settings and user role modifications.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin: Plugins → Installed Plugins, find the plugin and verify version is 19.9.0 or lower.Check Version:
WordPress CLI: wp plugin list --name='poll-survey-quiz-maker-by-opinionstage' --field=versionVerify Fix Applied:
After update, confirm plugin version is 19.9.1 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- WordPress audit logs showing Contributor/Editor users accessing plugin admin functions
- Unexpected changes to opinionstage_account_email or opinionstage_account_disconnected options
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=opinionstage_* from non-admin users
SIEM Query:
source="wordpress" (user_role="contributor" OR user_role="editor") action="plugin_settings_change" plugin="opinionstage"🔗 References
- https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/trunk/plugin.php
- https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/trunk/src/Modules/Admin.php
- https://plugins.trac.wordpress.org/changeset/3310848/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ba86268a-7bd6-40ed-9af6-29409245675d?source=cve
