平台
wordpress
组件
social-polls-by-opinionstage
修复版本
19.12.1
CVE-2025-13143 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Quiz, Poll & Survey Maker plugin developed by Opinion Stage for WordPress. This flaw allows unauthenticated attackers to potentially disconnect a WordPress site from the Opinion Stage platform if they can manipulate a site administrator into performing a specific action. The vulnerability affects versions from 0.0.0 up to and including 19.12.0, with a fix available in version 19.12.1.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized disconnection of a WordPress site from the Opinion Stage platform. An attacker could craft a malicious link that, when clicked by a logged-in administrator, would send a forged request to Opinion Stage, effectively severing the integration between the WordPress site and the Opinion Stage service. This could disrupt the functionality of quizzes, polls, and surveys hosted on the site, potentially impacting user engagement and data collection. While the vulnerability doesn't directly lead to data breaches or system compromise, the disruption of services and potential for further exploitation (e.g., using the disconnection as a stepping stone for other attacks) should be considered a significant risk.
This vulnerability was publicly disclosed on 2025-11-27. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Quiz, Poll & Survey Maker plugin by Opinion Stage are at risk. This includes sites heavily reliant on Opinion Stage for quizzes, polls, and surveys, as well as those with administrative accounts that are frequently targeted by phishing or social engineering attacks. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep 'Opinion Stage'• wordpress / composer / npm:
grep -r 'disconnect_account_action' /var/www/html/wp-content/plugins/opinion-stage/• wordpress / composer / npm:
wp plugin update --all• generic web:
Check WordPress plugin version via wp plugin list and compare against affected versions (0.0.0–19.12.0).
disclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13143 is to immediately upgrade the Quiz, Poll & Survey Maker plugin to version 19.12.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These could include restricting administrator access to sensitive pages, implementing stricter input validation on the disconnectaccountaction function (though this is complex and requires careful coding), or utilizing a WordPress security plugin with CSRF protection capabilities. After upgrading, confirm the fix by attempting to trigger the disconnection action with a forged request – it should be rejected.
更新到 19.12.1 版本,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13143 is a Cross-Site Request Forgery (CSRF) vulnerability in the Opinion Stage Quiz, Poll & Survey Maker plugin for WordPress, allowing attackers to disconnect sites from the Opinion Stage platform.
You are affected if your WordPress site uses the Quiz, Poll & Survey Maker plugin and is running a version between 0.0.0 and 19.12.0 inclusive.
Upgrade the Quiz, Poll & Survey Maker plugin to version 19.12.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13143.
Refer to the Opinion Stage website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-13143.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。