Platform
wordpress
Component
social-polls-by-opinionstage
Fixed in
19.12.1
CVE-2025-13143 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Quiz, Poll & Survey Maker plugin developed by Opinion Stage for WordPress. This flaw allows unauthenticated attackers to potentially disconnect a WordPress site from the Opinion Stage platform if they can manipulate a site administrator into performing a specific action. The vulnerability affects versions from 0.0.0 up to and including 19.12.0, with a fix available in version 19.12.1.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized disconnection of a WordPress site from the Opinion Stage platform. An attacker could craft a malicious link that, when clicked by a logged-in administrator, would send a forged request to Opinion Stage, effectively severing the integration between the WordPress site and the Opinion Stage service. This could disrupt the functionality of quizzes, polls, and surveys hosted on the site, potentially impacting user engagement and data collection. While the vulnerability doesn't directly lead to data breaches or system compromise, the disruption of services and potential for further exploitation (e.g., using the disconnection as a stepping stone for other attacks) should be considered a significant risk.
This vulnerability was publicly disclosed on 2025-11-27. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13143 is to immediately upgrade the Quiz, Poll & Survey Maker plugin to version 19.12.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These could include restricting administrator access to sensitive pages, implementing stricter input validation on the disconnectaccountaction function (though this is complex and requires careful coding), or utilizing a WordPress security plugin with CSRF protection capabilities. After upgrading, confirm the fix by attempting to trigger the disconnection action with a forged request – it should be rejected.
Update to version 19.12.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13143 is a Cross-Site Request Forgery (CSRF) vulnerability in the Opinion Stage Quiz, Poll & Survey Maker plugin for WordPress, allowing attackers to disconnect sites from the Opinion Stage platform.
You are affected if your WordPress site uses the Quiz, Poll & Survey Maker plugin and is running a version between 0.0.0 and 19.12.0 inclusive.
Upgrade the Quiz, Poll & Survey Maker plugin to version 19.12.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13143.
Refer to the Opinion Stage website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-13143.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.