CVE-2025-64370

Vulnerability

Overview The YOP Poll plugin for WordPress versions up to and including 6.5.38 contains a missing authorization vulnerability. The issue stems from incorrect configuration of access control security levels, specifically a broken access control (missing authorization) flaw [1]. This allows an attacker to exploit improperly configured permission checks.

Exploitation

Conditions No authentication or special privileges are required to exploit this vulnerability. The broken access control allows an unprivileged user to potentially execute actions intended for higher-privileged roles [1]. The attack surface is exposed to unauthenticated users, making it exploitable remotely.

Impact

Successful exploitation could lead to unauthorized access to administrative functions or sensitive data. While the CVSS score is 5.3 (Medium), the vulnerability is noted to be used in mass-exploit campaigns against thousands of websites regardless of traffic size or popularity [1]. YOP Poll describes the likelihood of exploitation as low but encourages updating.

Mitigation

The vulnerability is fixed in version 6.5.39. All users are strongly advised to update to the latest version immediately [1]. Patchstack users can enable auto-updates for vulnerable plugins. For those unable to update, consulting a hosting provider or web developer is recommended as a mitigation step [1].