CVE-2025-53328: 
WordPress vulnerability analysis and mitigation

The CVE-2025-53328 is a Local File Inclusion vulnerability discovered in the Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress. The vulnerability affects versions up to and including 19.11.0, and was disclosed on August 26, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, also known as PHP Remote File Inclusion (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is Network-based, requiring high attack complexity and user interaction, but no privileges. The vulnerability can potentially impact confidentiality, integrity, and availability at a high level (AttackerKB, Rapid7).

The vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. This could result in unauthorized access to sensitive data, including database credentials, depending on the configuration. The impact could extend to complete database takeover in certain scenarios (Patchstack).

The vulnerability has been patched in version 19.11.1 of the Poll, Survey & Quiz Maker Plugin. Users are strongly advised to update to version 19.11.1 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).