WP-Polls

Adds an AJAX poll system to your WordPress blog. You can also easily add a poll into your WordPress's blog post/page.

More information »

No issues found

Confidence: Medium This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe.

More information about this recommendation

Warning: old version

This recommendation applies to version 2.73.2 of this plugin, but the most recent version is 2.73.5. These findings may no longer be correct.

Findings

  • Doesn’t always escape HTML
  • Doesn’t always escape SQL
  • Allows IP address spoofing depending on server configuration. This can be used for several purposes:
    • Avoiding the prohibition on voting multiple times
    • Obscuring the IP address of voters from administrators looking at the logs provided by this plugin
    • Looking at the answers of other poll participants. The default poll template will show you what somebody else voted for if you know their IP address
  • Even if the server is configured to strip IP forwarding headers, users on the same network could potentially look at what somebody else voted for, because multiple users on the same network will typically share an IPv4 address

Failure criteria

Read more about our failure criteria.

Fail Execution of unprepared SQL statements
Fail Lack of proper output escaping

We conduct these inspections for our own use, and publish them in the hope that they may be useful to others. We don't guarantee that these findings are correct.

Please read this site's terms of service before taking any action based on information published here.

Testers
Tom Adams
Last revised
April 4, 2017
Versions tested
2.73.2
Plugin homepage
WP-Polls
Other versions

None listed