This recommendation applies to version 2.73.2 of this plugin, but the most recent version is 2.75.5. These findings may no longer be correct.
Doesn’t always escape HTML
Doesn’t always escape SQL
Allows IP address spoofing depending on server configuration. This can be used for several purposes:
Avoiding the prohibition on voting multiple times
Obscuring the IP address of voters from administrators looking at the logs provided by this plugin
Looking at the answers of other poll participants. The default poll template will show you what somebody else voted for if you know their IP address
Even if the server is configured to strip IP forwarding headers, users on the same network could potentially look at what somebody else voted for, because multiple users on the same network will typically share an IPv4 address