WP-Safety

WP-PostRatings Security & Risk Analysis

wordpress.org/plugins/wp-postratings

Adds an AJAX rating system for your WordPress site's content.

30K active installs v1.91.2 PHP + WP 4.9.6+ Updated Jul 16, 2024
postratingpostratingsratingratingsvote
88
A · Safe
CVEs total5
Unpatched0
Last CVEAug 1, 2024
Plugin page Download
Safety Verdict

Is WP-PostRatings Safe to Use in 2026?

Generally Safe

Score 88/100

WP-PostRatings has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Aug 1, 2024Updated 1yr ago
Risk Assessment

The wp-postratings plugin version 1.91.2 presents a mixed security posture. On the positive side, the static analysis reveals a limited attack surface with all identified entry points (AJAX handlers, shortcodes) having access control mechanisms. The code also demonstrates a relatively good practice of using prepared statements for the majority of SQL queries and includes nonce and capability checks. However, the static analysis also flags a significant concern: only 53% of output is properly escaped, indicating a potential for Cross-Site Scripting vulnerabilities. Furthermore, the taint analysis shows two flows with unsanitized paths, which, while not classified as critical or high severity in this specific analysis, warrant attention due to their potential to lead to security issues if they interact with sensitive operations. The vulnerability history is a more significant area of concern. With five known CVEs, including one high and four medium severity, this plugin has a track record of security flaws. The common types of past vulnerabilities (XSS, SQL Injection, Race Conditions) directly align with the types of risks often introduced by insufficient input sanitization and improper output escaping. The most recent vulnerability being in 2024 further underscores the plugin's ongoing susceptibility to security issues. While there are currently no unpatched CVEs, the historical pattern suggests a need for ongoing vigilance and prompt updates.

Key Concerns

  • Significant portion of output not properly escaped
  • Taint flows with unsanitized paths identified
  • History of high severity vulnerabilities
  • History of medium severity vulnerabilities
  • Common vulnerability types: XSS and SQL Injection history
Vulnerabilities
5

WP-PostRatings Security Vulnerabilities

CVEs by Year

1 CVE in 2011
2011
1 CVE in 2020
2020
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2024-39659medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-PostRatings <= 1.91.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 1, 2024 Patched in 1.91.2 (7d)
CVE-2023-40332medium · 5.3Use of Less Trusted Source

WP-PostRatings <= 1.91 - IP Spoofing

Aug 16, 2023 Patched in 1.91.1 (160d)
CVE-2022-36422medium · 4.3Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

WP-PostRatings <= 1.89 - Race Condition

Aug 31, 2022 Patched in 1.90 (510d)
CVE-2021-25117medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-PostRatings <= 1.86 - Cross-Site Scripting

Dec 24, 2020 Patched in 1.86.1 (1140d)
CVE-2011-4646high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP-PostRatings <= 1.61 - SQL Injection

Oct 6, 2011 Patched in 1.62 (4492d)
Code Analysis
Analyzed Mar 16, 2026

WP-PostRatings Code Analysis

Dangerous Functions
0
Raw SQL Queries
14
79 prepared
Unescaped Output
140
157 escaped
Nonce Checks
5
Capability Checks
3
File Operations
3
External Requests
0
Bundled Libraries
0

SQL Query Safety

85% prepared93 total queries

Output Escaping

53% escaped297 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
process_ratings (wp-postratings.php:525)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP-PostRatings Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 3

authwp_ajax_postratingswp-postratings.php:523
noprivwp_ajax_postratingswp-postratings.php:524
authwp_ajax_postratings-adminwp-postratings.php:623

Shortcodes 1

[ratings] includes\postratings-shortcodes.php:33
WordPress Hooks 31
actionadmin_menuincludes\postratings-admin.php:32
filtermanage_posts_columnsincludes\postratings-admin.php:35
filtermanage_pages_columnsincludes\postratings-admin.php:36
actionmanage_posts_custom_columnincludes\postratings-admin.php:39
actionmanage_pages_custom_columnincludes\postratings-admin.php:40
filtermanage_edit-post_sortable_columnsincludes\postratings-admin.php:43
filtermanage_edit-page_sortable_columnsincludes\postratings-admin.php:44
actionplugins_loadedincludes\postratings-i18n.php:33
actionwp_enqueue_scriptsincludes\postratings-scripts.php:19
actionadmin_enqueue_scriptsincludes\postratings-scripts.php:67
actionwidgets_initincludes\postratings-widgets.php:204
actioninitwp-postratings.php:71
actionloop_startwp-postratings.php:285
filtercomment_textwp-postratings.php:344
actionpublish_postwp-postratings.php:498
actionpublish_pagewp-postratings.php:499
actiondelete_postwp-postratings.php:511
filterquery_varswp-postratings.php:779
actionpre_get_postswp-postratings.php:788
filterposts_fieldswp-postratings.php:791
filterposts_joinwp-postratings.php:792
filterposts_orderbywp-postratings.php:793
filterposts_fieldswp-postratings.php:798
filterposts_joinwp-postratings.php:799
filterposts_orderbywp-postratings.php:800
actionpre_get_postswp-postratings.php:815
actionplugins_loadedwp-postratings.php:829
filterwp_stats_page_admin_pluginswp-postratings.php:831
filterwp_stats_page_admin_mostwp-postratings.php:832
filterwp_stats_page_pluginswp-postratings.php:833
filterwp_stats_page_mostwp-postratings.php:834
Maintenance & Trust

WP-PostRatings Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedJul 16, 2024
PHP min version
Downloads2.3M

Community Trust

Rating86/100
Number of ratings179
Active installs30K
Alternatives

WP-PostRatings Alternatives

Pixelpost Importer

Pixelpost Importer

pixelpost-importer

A
85

Import your PixelPost database in WordPress (categories, posts, comments, and ratings).

10 No CVEs
wp-postratings-my

wp-postratings-my

wp-postratings-my

A
100

Shows users their WP-PostRatings and allows filters.

10 No CVEs
Post Ratings

Post Ratings

post-ratings

A
85

Simple, developer-friendly, straightforward post rating plugin. Relies on post meta to store avg. rating / vote count.

700 No CVEs
Multi Rating & Review Matrix System

Multi Rating & Review Matrix System

rating-review-matrix

A
85

IMPORTANT UPGRADE INFO 1.0.4 to 1.0.5

10 No CVEs
Wp Post Rating

Wp Post Rating

wp-post-rating

A
85

WP-POST-RATING is powerful rating plugin with ajax security requests.

10 No CVEs
Developer Profile

WP-PostRatings Developer Profile

Lester Chan

20 plugins · 889K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
1377 days
View full developer profile
Detection Fingerprints

How We Detect WP-PostRatings

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-postratings/images/loading.gif/wp-content/plugins/wp-postratings/css/postratings-style.css/wp-content/plugins/wp-postratings/js/postratings-script.js
Script Paths
/wp-content/plugins/wp-postratings/js/postratings-script.js
Version Parameters
wp-postratings/css/postratings-style.css?ver=wp-postratings/js/postratings-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
post-ratings-loadingpost-ratings-imagepost-ratingsrating-barrating-number
Data Attributes
id="post-ratings-class="post-ratings-loading"class="post-ratings-image"class="post-ratings"data-nonce="id="rating-+2 more
JS Globals
postRatingspostRatingsAJAX
REST Endpoints
/wp-json/wp-postratings/v1/rate-post
FAQ

Frequently Asked Questions about WP-PostRatings