Overview
A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-13143, has been discovered in the Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress. This vulnerability affects all versions up to and including 19.12.0. It allows unauthenticated attackers to potentially disconnect a WordPress site from its Opinion Stage platform integration by tricking an administrator into clicking a malicious link or performing another action that unknowingly triggers a forged request.
Technical Details
The vulnerability stems from missing or insufficient nonce validation within the disconnect_account_action function of the plugin. Nonces are cryptographic tokens designed to protect against CSRF attacks. The lack of proper nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated administrator, will disconnect the WordPress site from the Opinion Stage service.
Specifically, the vulnerable code resides (or resided in the vulnerable versions) within the Admin.php file of the plugin. You can review the code (for historical analysis purposes only; upgrading is the proper solution) at the following locations:
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13143 a score of 4.3 (Medium). This score reflects the potential for exploitation and the impact on the affected system. The attack vector is network-based, and the attack complexity is medium, requiring some degree of social engineering to trick a user into executing the malicious request. User interaction is required, and the scope is unchanged, meaning the attacker cannot directly gain elevated privileges on the WordPress server itself. Confidentiality, integrity, and availability impacts are low.
Possible Impact
Successful exploitation of this CSRF vulnerability could result in the following:
- Disruption of Service: Disconnecting the Opinion Stage integration can disrupt the functionality of polls, surveys, and quizzes embedded on the WordPress site.
- Data Integrity Issues: Disconnecting the account might lead to data synchronization problems or loss of data associated with Opinion Stage.
- Reputational Damage: Depending on the usage of Opinion Stage, the disruption could negatively affect the user experience and potentially damage the site’s reputation.
Mitigation and Patch Steps
The primary mitigation step is to update the Poll, Survey & Quiz Maker Plugin by Opinion Stage to the latest version available in the WordPress plugin repository. The latest versions should include a fix for this CSRF vulnerability by implementing proper nonce validation on the disconnect_account_action function.
If immediate updating is not possible, consider the following temporary workarounds (though updating remains the recommended approach):
- Exercise Caution: Be wary of suspicious links or requests, especially those related to disconnecting or modifying plugin settings.
- Monitor User Activity: Keep a close eye on administrator accounts for any unusual activity.
