WP-Safety

Post Ratings Security & Risk Analysis

wordpress.org/plugins/post-ratings

Simple, developer-friendly, straightforward post rating plugin. Relies on post meta to store avg. rating / vote count.

700 active installs v3.0 PHP + WP 4.0.0+ Updated Nov 28, 2017
ajaxpostpostratingratingratings
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Post Ratings Safe to Use in 2026?

Generally Safe

Score 85/100

Post Ratings has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The 'post-ratings' v3.0 plugin exhibits a generally positive security posture, with no known vulnerabilities and a well-defined attack surface. The absence of SQL injection risks due to prepared statements and a lack of file operations or external HTTP requests are strong indicators of good development practices. However, a significant concern arises from the low percentage of properly escaped output. With 37 output operations and only 22% properly escaped, there's a high likelihood of Cross-Site Scripting (XSS) vulnerabilities being present, especially since taint analysis did not find any flows to analyze. The lack of explicit nonce checks on its AJAX handlers, while categorized as 'Unprotected: 0' in the attack surface, still presents a potential area for brute-force or automated attacks if not adequately protected by other means (e.g., capability checks). The plugin's clean vulnerability history is encouraging, suggesting it has been maintained with security in mind, but the current static analysis findings on output escaping warrant immediate attention.

Key Concerns

  • Low percentage of properly escaped output
  • Missing nonce checks on AJAX handlers
Vulnerabilities
None known

Post Ratings Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Post Ratings Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
29
8 escaped
Nonce Checks
0
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

22% escaped37 total outputs
Attack Surface

Post Ratings Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 2

authwp_ajax_rate_postpost-ratings.php:148
noprivwp_ajax_rate_postpost-ratings.php:149

Shortcodes 2

[rate] post-ratings.php:159
[top_rated] post-ratings.php:160
WordPress Hooks 18
actionpre_get_postsincludes\query.php:15
filterposts_joinincludes\query.php:18
filterposts_orderbyincludes\query.php:19
filterposts_fieldsincludes\query.php:20
actionadmin_menuincludes\settings.php:15
actionadmin_initincludes\settings.php:16
actionadmin_enqueue_scriptsincludes\settings.php:17
actionplugins_loadedpost-ratings.php:96
filterplugin_row_metapost-ratings.php:141
filterplugin_action_linkspost-ratings.php:142
actionwppost-ratings.php:144
actionwidgets_initpost-ratings.php:152
filteruser_has_cappost-ratings.php:155
filtermap_meta_cappost-ratings.php:156
actionwp_enqueue_scriptspost-ratings.php:463
filterthe_contentpost-ratings.php:470
filterbbp_get_topic_contentpost-ratings.php:473
filterbbp_get_reply_contentpost-ratings.php:474
Maintenance & Trust

Post Ratings Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33
Last updatedNov 28, 2017
PHP min version
Downloads77K

Community Trust

Rating90/100
Number of ratings23
Active installs700
Alternatives

Post Ratings Alternatives

kk Star Ratings – Rate Post & Collect User Feedbacks

kk Star Ratings – Rate Post & Collect User Feedbacks

kk-star-ratings

A
96

kk Star Ratings allows blog visitors to involve and interact more effectively with your website by rating posts.

80K 4 CVEs
WP-PostRatings

WP-PostRatings

wp-postratings

A
88

Adds an AJAX rating system for your WordPress site's content.

30K 5 CVEs
Kento Star Rate

Kento Star Rate

kento-star-rate

A
85

Ajax Five Star Ratings for Post, Page or Excerpt

10 No CVEs
Pixelpost Importer

Pixelpost Importer

pixelpost-importer

A
85

Import your PixelPost database in WordPress (categories, posts, comments, and ratings).

10 No CVEs
Wp Post Rating

Wp Post Rating

wp-post-rating

A
85

WP-POST-RATING is powerful rating plugin with ajax security requests.

10 No CVEs
Developer Profile

Post Ratings Developer Profile

digitalnature

2 plugins · 800 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Post Ratings

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/post-ratings/assets/css/frontend.css/wp-content/plugins/post-ratings/assets/js/frontend.js
Script Paths
/wp-content/plugins/post-ratings/assets/js/frontend.js
Version Parameters
post-ratings/assets/css/frontend.css?ver=post-ratings/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
post-ratings-widget-wrapperpost-ratings-item-wrapperpost-ratings-averagepost-ratings-countpost-ratings-itempost-ratings-starpost-ratings-star-emptypost-ratings-star-filled
Data Attributes
data-post-iddata-ratingdata-max-ratingdata-rate-nonce
JS Globals
post_ratings_params
Shortcode Output
[rate][top_rated]
FAQ

Frequently Asked Questions about Post Ratings