WP Voting Security & Risk Analysis

The wp-voting plugin v1.8 presents a mixed security posture. On the positive side, it has a relatively small attack surface with all identified entry points having some form of authentication or permission checks. Furthermore, the majority of SQL queries utilize prepared statements, indicating good practice in preventing SQL injection vulnerabilities. The absence of file operations and external HTTP requests are also positive security indicators.

However, significant concerns arise from the code analysis. The presence of the deprecated and inherently insecure `create_function` is a major red flag, potentially leading to code injection vulnerabilities. A critical finding is the 2 identified taint flows with unsanitized paths, suggesting potential for vulnerabilities like cross-site scripting (XSS) or arbitrary file read/write if not handled carefully by the application context. The very low percentage of properly escaped output (3%) is particularly alarming, directly correlating with the historical medium severity XSS vulnerability found in 2025. This indicates a high likelihood of reflected or stored XSS vulnerabilities.

The plugin's vulnerability history, with one unpatched medium severity CVE related to XSS, reinforces the concerns raised by the static analysis. This suggests a pattern of input validation and output escaping weaknesses. While the plugin demonstrates strengths in preventing direct SQL injection and controlling its attack surface, the prevalence of insecure coding practices and insufficient output sanitization poses a notable risk to WordPress sites utilizing this plugin.