Plugin inspection:

WP-Polls

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.

Warnings

This recommendation applies to version 2.73.2 of this plugin, but the most recent version is 2.77.2. These findings may no longer be correct.

Findings

  • Doesn’t always escape HTML
  • Doesn’t always escape SQL
  • Allows IP address spoofing depending on server configuration. This can be used for several purposes:
    • Avoiding the prohibition on voting multiple times
    • Obscuring the IP address of voters from administrators looking at the logs provided by this plugin
    • Looking at the answers of other poll participants. The default poll template will show you what somebody else voted for if you know their IP address
  • Even if the server is configured to strip IP forwarding headers, users on the same network could potentially look at what somebody else voted for, because multiple users on the same network will typically share an IPv4 address

Failure criteria

  • Execution of unprepared SQL statements
  • Lack of proper output escaping

Read more about our failure criteria.