CVE-2025-64370 in Poll Plugin
Summary
by MITRE • 11/13/2025
Missing Authorization vulnerability in YOP YOP Poll yop-poll allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YOP Poll: from n/a through <= 6.5.38.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/13/2025
The CVE-2025-64370 vulnerability represents a critical missing authorization flaw within the YOP Poll WordPress plugin, specifically impacting versions ranging from the initial release through version 6.5.38. This security weakness stems from improperly configured access control mechanisms that allow unauthorized users to exploit administrative functionalities. The vulnerability falls under the broader category of inadequate access control issues that are commonly classified as CWE-285, which addresses improper authorization within software applications. The affected plugin's security model fails to properly verify user permissions before executing sensitive operations, creating a pathway for privilege escalation attacks.
The technical implementation of this vulnerability manifests when the plugin does not adequately validate user roles or capabilities before processing administrative requests. Attackers can exploit this gap to perform actions that should be restricted to administrators or authorized personnel only, potentially gaining access to sensitive data, modifying poll configurations, or even executing arbitrary code within the WordPress environment. This misconfiguration creates a persistent security risk that can be exploited across multiple attack vectors, including but not limited to cross-site scripting, data manipulation, and unauthorized access to backend systems. The vulnerability's impact is amplified by the widespread adoption of the YOP Poll plugin, which means that numerous WordPress installations could be simultaneously vulnerable to this specific authorization flaw.
The operational consequences of CVE-2025-64370 extend beyond simple unauthorized access, as it can enable attackers to compromise entire WordPress installations through a cascading series of security breaches. Once an attacker gains unauthorized access through this vulnerability, they can manipulate poll results, access confidential voting data, modify plugin settings, and potentially establish persistent backdoors within the affected systems. The attack surface is particularly concerning given that WordPress plugins often serve as attack vectors due to their direct interaction with database systems and user-facing interfaces. This vulnerability aligns with ATT&CK technique T1078.004 which focuses on valid accounts and T1566.001 which covers credential harvesting, as unauthorized access can be achieved through exploitation of weak access control mechanisms rather than traditional credential theft methods.
Organizations and system administrators should prioritize immediate remediation of this vulnerability through plugin updates to version 6.5.39 or later, which contains the necessary access control patches. Additionally, implementing network segmentation, monitoring for unusual administrative activities, and conducting regular security audits of installed plugins can help mitigate the risk associated with this vulnerability. The remediation process should include comprehensive testing to ensure that the updated plugin does not introduce compatibility issues with existing WordPress installations. Security teams should also consider implementing automated patch management solutions to prevent similar vulnerabilities from accumulating in their environments, as this type of access control misconfiguration represents a common pattern that can be addressed through proper security development lifecycle practices and regular security assessments.