{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13143", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-13T18:59:20.736Z", "datePublished": "2025-11-27T05:31:57.326Z", "dateUpdated": "2026-04-08T16:43:48.319Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:48.319Z"}, "affected": [{"vendor": "assafp", "product": "Quiz, Poll & Survey Maker by Opinion Stage", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "19.12.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.12.0 - Cross-Site Request Forgery to Account Disconnection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c16048a-6b05-48ef-92c3-6e3a42909adb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L195"}, {"url": "https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L196"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "timeline": [{"time": "2025-11-18T06:43:21.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-26T17:29:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T16:08:07.918424Z", "id": "CVE-2025-13143", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T16:08:39.509Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13143", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-28T16:08:07.918424Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T16:08:30.303Z"}}], "cna": {"title": "Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.12.0 - Cross-Site Request Forgery to Account Disconnection", "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "assafp", "product": "Poll, Survey & Quiz Maker Plugin by Opinion Stage", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "19.12.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-18T06:43:21.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-26T17:29:27.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c16048a-6b05-48ef-92c3-6e3a42909adb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L195"}, {"url": "https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L196"}], "descriptions": [{"lang": "en", "value": "The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-27T05:31:57.326Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13143", "state": "PUBLISHED", "dateUpdated": "2025-11-28T16:08:39.509Z", "dateReserved": "2025-11-13T18:59:20.736Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-27T05:31:57.326Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-13143", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-27T06:15:46.657", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L195"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L196"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c16048a-6b05-48ef-92c3-6e3a42909adb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:45:52.765937+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to the latest available version, which includes nonce validation for account disconnection requests.", "Re\u2011authorize the Opinion Stage integration after updating to ensure a new, secure connection token is in place.", "Instruct site administrators to verify the legitimacy of any link that requests a site action and to use an email filter or authentication method that blocks arbitrary link clicking from unknown sources."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Request Forgery leading to accidental disconnection of the Opinion Stage integration"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Quiz, Poll & Survey Maker plugin by Opinion Stage with versions 19.12.0 and earlier are affected. The plugin integrates with the Opinion Stage platform and is installed as a standard WordPress plugin.", "description_and_impact": "The Vulnerable Plugin suffers from missing or insufficient nonce validation in the disconnect_account_action function, enabling an unauthenticated attacker to forge a request that, when a site administrator inadvertently clicks it, disconnects the site from the Opinion Stage platform. This denial of integration can render polls, surveys, and quizzes nonfunctional until re\u2011added, potentially disrupting user engagement and data collection. The weakness is a classic CSRF scenario (CWE-352).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk, while the EPSS score of less than 1% signals a very low probability of exploitation at present. The vulnerability is not listed in CISA KEV, and no known active exploits have been reported. The likely attack vector is a malicious link or email that tricks a site administrator into visiting a crafted URL while logged into WordPress, thereby submitting a forged disconnect request."}}}}, "created": "2025-11-27T16:26:35.667094+00:00", "updated": "2026-04-27T23:00:13.944587+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}