Warning: old version
This recommendation applies to version 2.73.2 of this plugin, but the most recent version is 2.73.5. These findings may no longer be correct.
- Doesn’t always escape HTML
- Doesn’t always escape SQL
- Allows IP address spoofing depending on server configuration. This can be used for several purposes:
- Avoiding the prohibition on voting multiple times
- Obscuring the IP address of voters from administrators looking at the logs provided by this plugin
- Looking at the answers of other poll participants. The default poll template will show you what somebody else voted for if you know their IP address
- Even if the server is configured to strip IP forwarding headers, users on the same network could potentially look at what somebody else voted for, because multiple users on the same network will typically share an IPv4 address
Read more about our failure criteria.
|Execution of unprepared SQL statements|
|Lack of proper output escaping|
We conduct these inspections for our own use, and publish them in the hope that they may be useful to others. We don't guarantee that these findings are correct.
Please read this site's terms of service before taking any action based on information published here.
- Tom Adams
- Last revised
- April 4, 2017
- Versions tested
- Plugin homepage
- Other versions