WP-Safety

WP-Polls Security & Risk Analysis

wordpress.org/plugins/wp-polls

Adds an AJAX poll system to your WordPress blog. You can also easily add a poll into your WordPress's blog post/page.

40K active installs v2.77.3 PHP + WP 4.9.6+ Updated Jan 18, 2025
boothpollpollingpollsvote
84
B · Generally Safe
CVEs total6
Unpatched0
Last CVEJan 21, 2025
Plugin page Download
Safety Verdict

Is WP-Polls Safe to Use in 2026?

Mostly Safe

Score 84/100

WP-Polls is generally safe to use though it hasn't been updated recently. 6 past CVEs were resolved. Keep it updated.

6 known CVEsLast CVE: Jan 21, 2025Updated 1yr ago
Risk Assessment

The wp-polls plugin v2.77.3 presents a mixed security posture. While it has a relatively small attack surface and incorporates some good security practices like nonce and capability checks, significant concerns emerge from its vulnerability history and static analysis findings. The plugin has a substantial history of known CVEs, including critical and high-severity issues, indicating a pattern of recurring security weaknesses. This history, coupled with the presence of two high-severity taint flows with unsanitized paths, strongly suggests potential for SQL Injection or other injection vulnerabilities if these flows are not properly handled in downstream processing. The 42% of SQL queries not using prepared statements is also a notable area of risk. While the plugin appears to have addressed past critical and high vulnerabilities, the historical trend is concerning and suggests a need for continued vigilance and diligent patching.

Despite the presence of bundled libraries like TinyMCE, which can sometimes introduce vulnerabilities if outdated, and a moderate percentage of improperly escaped outputs, the most pressing issues stem from the taint analysis and the historical CVE data. The plugin's zero unprotected entry points is a positive sign, but the identified taint flows and past vulnerabilities paint a picture of a plugin that, while functional, has a history of security oversights that could be exploited. A more robust approach to input sanitization and prepared statements across all database interactions would significantly improve its security standing. The fact that all previously disclosed CVEs are currently unpatched is a positive indicator for this specific version, but the overall trend warrants caution.

Key Concerns

  • High severity taint flows with unsanitized paths
  • Significant percentage of SQL queries not prepared
  • Moderate percentage of improperly escaped outputs
  • History of critical severity CVEs
  • History of high severity CVEs
  • Bundled library (TinyMCE)
Vulnerabilities
6

WP-Polls Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2016
2016
1 CVE in 2019
2019
2 CVEs in 2022
2022
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
4

6 total CVEs

CVE-2024-13426medium · 5.4Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP-Polls <= 2.77.2 - Unauthenticated SQL Injection to Stored Cross-Site Scripting

Jan 21, 2025 Patched in 2.77.3 (1d)
CVE-2022-1581medium · 6.5Authorization Bypass Through User-Controlled Key

WP-Polls <= 2.75.6 - IP Validation Bypass

Oct 31, 2022 Patched in 2.76.0 (449d)
CVE-2022-40130medium · 4.3Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

WP-Polls <= 2.76.0 - Race Condition

Oct 5, 2022 Patched in 2.77.0 (475d)
CVE-2015-9352critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP-Polls <= 2.71 - SQL Injection

Aug 26, 2019 Patched in 2.72 (1611d)
CVE-2016-10936medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Polls <= 2.73 - Cross-Site Scripting

Jul 29, 2016 Patched in 2.73.1 (2734d)
WF-e25f524e-360d-4c80-a0ab-90ee94825b1b-wp-pollshigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Polls <= 2.70 - Stored Cross-Site Scripting

Aug 14, 2015 Patched in 2.71 (3084d)
Code Analysis
Analyzed Mar 16, 2026

WP-Polls Code Analysis

Dangerous Functions
0
Raw SQL Queries
41
56 prepared
Unescaped Output
159
216 escaped
Nonce Checks
12
Capability Checks
7
File Operations
3
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

58% prepared97 total queries

Output Escaping

58% escaped375 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

7 flows2 with unsanitized paths
<polls-add> (polls-add.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP-Polls Attack Surface

Entry Points5
Unprotected0

AJAX Handlers 3

authwp_ajax_pollswp-polls.php:1458
noprivwp_ajax_pollswp-polls.php:1459
authwp_ajax_polls-adminwp-polls.php:1509

Shortcodes 2

[page_polls] wp-polls.php:767
[poll] wp-polls.php:774
WordPress Hooks 25
actionplugins_loadedwp-polls.php:36
actionadmin_menuwp-polls.php:50
actionwp_enqueue_scriptswp-polls.php:170
actionadmin_enqueue_scriptswp-polls.php:219
actionadmin_footer-post-new.phpwp-polls.php:245
actionadmin_footer-post.phpwp-polls.php:246
actionadmin_footer-page-new.phpwp-polls.php:247
actionadmin_footer-page.phpwp-polls.php:248
actioninitwp-polls.php:266
filtermce_external_pluginswp-polls.php:272
filtermce_buttonswp-polls.php:273
filterwp_mce_translationwp-polls.php:274
filterwp_polls_template_voteheader_markupwp-polls.php:409
filterwp_polls_template_votebody_markupwp-polls.php:410
filterwp_polls_template_votefooter_markupwp-polls.php:411
filterwp_polls_template_resultheader_markupwp-polls.php:412
filterwp_polls_template_resultbody_markupwp-polls.php:413
filterwp_polls_template_resultbody2_markupwp-polls.php:414
filterwp_polls_template_resultfooter_markupwp-polls.php:415
filterwp_polls_template_resultfooter2_markupwp-polls.php:416
actionpolls_cronwp-polls.php:1303
actionplugins_loadedwp-polls.php:1705
filterwp_stats_page_admin_pluginswp-polls.php:1707
filterwp_stats_page_pluginswp-polls.php:1708
actionwidgets_initwp-polls.php:1825

Scheduled Events 2

polls_cron
polls_cron
Maintenance & Trust

WP-Polls Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 18, 2025
PHP min version
Downloads3.7M

Community Trust

Rating84/100
Number of ratings136
Active installs40K
Alternatives

WP-Polls Alternatives

WP-Polls (with CubePoints)

WP-Polls (with CubePoints)

wp-polls-with-cubepoints

A
100

WP-Polls (with CubePoints) is a modified version of [WP-Polls](http://wordpress.org/extend/plugins/wp-polls/ "WP-Polls") by Lester 'GaM &hellip;

10 No CVEs
Crowdsignal Dashboard – Polls, Surveys & more

Crowdsignal Dashboard – Polls, Surveys & more

polldaddy

A
96

Manage your Crowdsignal polls, surveys, quizzes, and ratings directly from the WordPress dashboard.

100K 9 CVEs
Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Poll Maker – Versus Polls, Anonymous Polls, Image Polls

poll-maker

A
88

Poll Maker is a FREE WordPress poll plugin that will let you create customizable and professional online polls and voting for your WordPress website.

7K 23 CVEs
Simply Polls

Simply Polls

simply-polls

A
85

Add AJAX poll to your WordPress blog. You can use our polls on sidebars, posts and pages.

10 No CVEs
WP EASY POLL

WP EASY POLL

wp-easy-poll

A
85

With WP EASY POLL user could add ajax based voting poll system to wordpress driven sites very easily.

10 No CVEs
Developer Profile

WP-Polls Developer Profile

Lester Chan

20 plugins · 889K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
1377 days
View full developer profile
Detection Fingerprints

How We Detect WP-Polls

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about WP-Polls