CVE-2025-64370: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in YOP Poll WordPress plugin affecting versions up to and including 6.5.38. The vulnerability was disclosed on November 2, 2025, and was assigned CVE-2025-64370. This security flaw allows unauthenticated attackers to perform unauthorized actions due to incorrectly configured access control security levels (Rapid7, Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) due to missing authorization checks in certain plugin functions. It received a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating that it can be exploited over the network with low attack complexity and requires no privileges or user interaction (Patchstack).

The vulnerability allows unauthenticated attackers to perform unauthorized actions within the YOP Poll plugin functionality. While the severity is considered low, it represents a security risk due to the lack of proper access control mechanisms (Patchstack).

The vulnerability has been fixed in YOP Poll version 6.5.39. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins to ensure timely remediation (Patchstack).