CVE-2025-68594

HIGH
2025-12-24 [email protected]
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
HIGH 8.1

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Opinion Stage Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll, Survey & Quiz Maker Plugin by Opinion Stage: from n/a through <= 19.12.0.

Analysis

Broken access control in Opinion Stage Poll, Survey & Quiz Maker Plugin for WordPress versions through 19.12.0 allows authenticated attackers with low-level privileges to bypass authorization checks and access or modify high-sensitivity data. The vulnerability (CWE-862: Missing Authorization) enables privilege escalation through improperly configured access control mechanisms. EPSS probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, though authentication bypass tags indicate established attack patterns exist for this vulnerability class.

Technical Context

This vulnerability stems from CWE-862 (Missing Authorization), a critical access control flaw where the application fails to perform proper authorization checks before granting access to protected resources or functionality. The Opinion Stage plugin, which provides polling, survey, and quiz functionality for WordPress sites, does not adequately verify whether authenticated users have appropriate permissions to perform sensitive operations. The CVSS vector (PR:L) indicates that attackers need only low-privileged authenticated access, such as a WordPress Subscriber account, to exploit misconfigured access control security levels. This is distinct from authentication bypass (though tagged as such) because attackers must first authenticate, but then face no authorization barriers to privileged functions. The network-accessible attack vector (AV:N) with low complexity (AC:L) and no user interaction (UI:N) makes exploitation straightforward once initial low-privilege access is obtained. WordPress plugins frequently suffer from authorization flaws when developers rely on authentication alone without implementing proper capability checks using WordPress's roles and capabilities system.

Affected Products

WordPress Poll, Survey & Quiz Maker Plugin by Opinion Stage (social-polls-by-opinionstage) versions from earliest available through 19.12.0 are confirmed vulnerable. The vulnerability affects all WordPress installations running these plugin versions regardless of WordPress core version. According to Patchstack database reporting, version 19.12.1 addresses this vulnerability, indicating the full vulnerable version range is ≤19.12.0. Sites using Opinion Stage's polling, survey, or quiz functionality with user registration enabled or multiple user accounts face the highest exposure due to the low-privileged authentication requirement. The vulnerability advisory is available at https://patchstack.com/database/Wordpress/Plugin/social-polls-by-opinionstage/vulnerability/wordpress-poll-survey-quiz-maker-plugin-by-opinion-stage-plugin-19-12-1-broken-access-control-vulnerability.

Remediation

Immediately upgrade Opinion Stage Poll, Survey & Quiz Maker Plugin to version 19.12.1 or later, which addresses the missing authorization vulnerability according to Patchstack vulnerability database. Site administrators should access the WordPress admin dashboard, navigate to Plugins, and update social-polls-by-opinionstage to the latest available version. After updating, review WordPress user accounts and audit access logs for suspicious activity patterns indicating potential exploitation, particularly focusing on low-privileged accounts accessing administrative functions or sensitive poll/survey data. As an interim mitigation if immediate patching is not feasible, consider temporarily disabling the plugin if polling functionality is non-critical, restricting new user registration, or implementing additional authentication layers such as two-factor authentication for all user accounts. Review WordPress user role assignments and remove unnecessary accounts with Subscriber or Contributor privileges. Complete vulnerability details and remediation guidance are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/social-polls-by-opinionstage/vulnerability/wordpress-poll-survey-quiz-maker-plugin-by-opinion-stage-plugin-19-12-1-broken-access-control-vulnerability. Organizations should also review other plugins for similar missing authorization issues by conducting capability-check audits.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Share

CVE-2025-68594 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy