WP-Safety

WP Voting Contest Lite Security & Risk Analysis

wordpress.org/plugins/wp-voting-contest

Let users cast votes on your images/photos.

500 active installs v5.8 PHP 8.1+ WP 5.0+ Updated Feb 27, 2025
contestgallerylikesphotovoting
47
D · High Risk
CVEs total3
Unpatched2
Last CVEAug 21, 2025
Plugin page Download
Safety Verdict

Is WP Voting Contest Lite Safe to Use in 2026?

High Risk

Score 47/100

WP Voting Contest Lite carries significant security risk with 3 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

3 known CVEs 2 unpatched Last CVE: Aug 21, 2025Updated 1yr ago
Risk Assessment

The wp-voting-contest plugin version 5.8 exhibits a concerning security posture despite some positive indicators. While the use of prepared statements for all SQL queries and a high percentage of properly escaped output are commendable, these strengths are overshadowed by significant weaknesses. The plugin has a large attack surface, with 25 out of 29 entry points (REST API routes) lacking any permission callbacks, leaving them entirely unprotected. This is a critical flaw that could allow unauthorized users to interact with sensitive plugin functionalities.

The vulnerability history further amplifies these concerns. With 3 known CVEs, 2 of which remain unpatched, and a recent vulnerability in August 2025, the plugin has a pattern of security issues. The common vulnerability types of Missing Authorization and Cross-Site Scripting, which align with the identified lack of authorization checks on REST API routes, suggest recurring security design flaws. The presence of a single unsanitized path in the taint analysis, even if not classified as critical or high, is also a point of concern, as it can be a vector for attacks.

In conclusion, while the plugin demonstrates good practices in data handling with prepared SQL and output escaping, the extensive unprotected attack surface and a history of unpatched vulnerabilities, particularly related to authorization, make it a high-risk component. Users should exercise extreme caution and prioritize patching or migrating away from this plugin.

Key Concerns

  • Unprotected REST API routes
  • Unpatched CVEs
  • Missing Nonce checks
  • Missing Capability checks
  • Flows with unsanitized paths
Vulnerabilities
3 published

WP Voting Contest Lite Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-60086medium · 5.3Missing Authorization

Voting Contest <= 5.8 - Missing Authorization

Aug 21, 2025Unpatched
CVE-2025-50017medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Voting Contest <= 5.8 - Authenticated (Editor+) Stored Cross-Site Scripting

Jun 19, 2025Unpatched
CVE-2022-0321medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Voting Contest < 3.0 - Reflected Cross-Site Scripting

Feb 16, 2022 Patched in 3.0 (706d)
Version History

WP Voting Contest Lite Release Timeline

v5.8Current2 CVEs
CVE-2025-60086 CVE-2025-50017
v5.72 CVEs
CVE-2025-60086 CVE-2025-50017
v5.62 CVEs
CVE-2025-60086 CVE-2025-50017
v5.52 CVEs
CVE-2025-60086 CVE-2025-50017
v5.42 CVEs
CVE-2025-60086 CVE-2025-50017
v5.32 CVEs
CVE-2025-60086 CVE-2025-50017
v5.22 CVEs
CVE-2025-60086 CVE-2025-50017
v5.12 CVEs
CVE-2025-60086 CVE-2025-50017
v5.02 CVEs
CVE-2025-60086 CVE-2025-50017
v4.32 CVEs
CVE-2025-60086 CVE-2025-50017
v4.22 CVEs
CVE-2025-60086 CVE-2025-50017
v4.12 CVEs
CVE-2025-60086 CVE-2025-50017
v4.02 CVEs
CVE-2025-60086 CVE-2025-50017
v3.42 CVEs
CVE-2025-60086 CVE-2025-50017
v3.32 CVEs
CVE-2025-60086 CVE-2025-50017
v3.22 CVEs
CVE-2025-60086 CVE-2025-50017
v3.12 CVEs
CVE-2025-60086 CVE-2025-50017
v3.02 CVEs
CVE-2025-60086 CVE-2025-50017
v2.13 CVEs
CVE-2025-60086 CVE-2025-50017 CVE-2022-0321
v2.03 CVEs
CVE-2025-60086 CVE-2025-50017 CVE-2022-0321
Code Analysis
Analyzed Mar 16, 2026

WP Voting Contest Lite Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
111 prepared
Unescaped Output
2
224 escaped
Nonce Checks
0
Capability Checks
0
File Operations
18
External Requests
2
Bundled Libraries
0

SQL Query Safety

100% prepared111 total queries

Output Escaping

99% escaped226 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<wpvc_contestant_post_controller> (wpvc_controller\wpvc_contestant_post_controller.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
25 unprotected

WP Voting Contest Lite Attack Surface

Entry Points29
Unprotected25

REST API Routes 25

GET/wp-json/wpvc-voting/v1/wpvcgetshowcontestantwpvc_controller\wpvc_front_rest_register_controller.php:31
GET/wp-json/wpvc-voting/v1/wpvcsubmitentrywpvc_controller\wpvc_front_rest_register_controller.php:42
GET/wp-json/wpvc-voting/v1/wpvcuploadfileswpvc_controller\wpvc_front_rest_register_controller.php:53
GET/wp-json/wpvc-voting/v1/wpvcsavevoteswpvc_controller\wpvc_front_rest_register_controller.php:64
GET/wp-json/wpvc-voting/v1/wpvcsendemailwpvc_controller\wpvc_front_rest_register_controller.php:75
GET/wp-json/wpvc-voting/v1/wpvclogonwpvc_controller\wpvc_front_rest_register_controller.php:86
GET/wp-json/wpvc-voting/v1/wpvcregisterwpvc_controller\wpvc_front_rest_register_controller.php:97
GET/wp-json/wpvc-voting/v1/wpvcgetregisterwpvc_controller\wpvc_front_rest_register_controller.php:108
GET/wp-json/wpvc-voting/v1/wpvcresetpasswordwpvc_controller\wpvc_front_rest_register_controller.php:119
GET/wp-json/wpvc-voting/v1/wpvcdeletecontestantwpvc_controller\wpvc_front_rest_register_controller.php:130
GET/wp-json/wpvc-voting/v1/wpvcsettingfetchwpvc_controller\wpvc_rest_register_controller.php:22
POST/wp-json/wpvc-voting/v1/wpvcupdatesettingwpvc_controller\wpvc_rest_register_controller.php:32
GET/wp-json/wpvc-voting/v1/wpvcvotinglogsfetchwpvc_controller\wpvc_rest_register_controller.php:42
POST/wp-json/wpvc-voting/v1/wpvcvotingdeletewpvc_controller\wpvc_rest_register_controller.php:52
POST/wp-json/wpvc-voting/v1/wpvcvotingmultipledeletewpvc_controller\wpvc_rest_register_controller.php:62
POST/wp-json/wpvc-voting/v1/wpvcmigratecontestantswpvc_controller\wpvc_rest_register_controller.php:72
GET/wp-json/wpvc-voting/v1/wpvccategoryfetchwpvc_controller\wpvc_rest_register_controller.php:83
POST/wp-json/wpvc-voting/v1/wpvccategoryupdatewpvc_controller\wpvc_rest_register_controller.php:93
POST/wp-json/wpvc-voting/v1/wpvccategorydeletewpvc_controller\wpvc_rest_register_controller.php:102
GET/wp-json/wpvc-voting/v1/wpvccustomfieldsfetchwpvc_controller\wpvc_rest_register_controller.php:113
POST/wp-json/wpvc-voting/v1/wpvcupdatecustomfieldwpvc_controller\wpvc_rest_register_controller.php:123
POST/wp-json/wpvc-voting/v1/wpvcassigncustomwpvc_controller\wpvc_rest_register_controller.php:133
POST/wp-json/wpvc-voting/v1/wpvcgetassigncustomwpvc_controller\wpvc_rest_register_controller.php:143
GET/wp-json/wpvc-voting/v1/wpvcgetsitetranslationswpvc_controller\wpvc_rest_register_controller.php:155
POST/wp-json/wpvc-voting/v1/wpvcsavelicensewpvc_controller\wpvc_rest_register_controller.php:167

Shortcodes 4

[showcontestants] wpvc_controller\wpvc_shortcode_controller.php:27
[addcontestants] wpvc_controller\wpvc_shortcode_controller.php:29
[upcomingcontestants] wpvc_controller\wpvc_shortcode_controller.php:31
[endcontestants] wpvc_controller\wpvc_shortcode_controller.php:32
WordPress Hooks 49
actionwp_loadedconfiguration\config.php:117
filterrest_pre_serve_requestconfiguration\config.php:130
actionwp_headconfiguration\helper.php:11
actionafter_setup_themeow_votes.php:28
actioninitow_votes.php:41
actionadmin_initow_votes.php:56
actioninitwpvc_controller\wpvc_admin_controller.php:15
actionadmin_menuwpvc_controller\wpvc_admin_controller.php:16
actionparent_filewpvc_controller\wpvc_admin_controller.php:17
actionadmin_initwpvc_controller\wpvc_admin_controller.php:18
actioncurrent_screenwpvc_controller\wpvc_admin_controller.php:19
actionadmin_enqueue_scriptswpvc_controller\wpvc_admin_controller.php:21
actionadd_meta_boxeswpvc_controller\wpvc_admin_controller.php:23
actionsave_post_contestantswpvc_controller\wpvc_admin_controller.php:24
filteruse_block_editor_for_post_typewpvc_controller\wpvc_admin_controller.php:25
actionadmin_bar_menuwpvc_controller\wpvc_admin_controller.php:27
actionwidgets_initwpvc_controller\wpvc_admin_controller.php:28
actionrestrict_manage_postswpvc_controller\wpvc_admin_controller.php:30
filterparse_querywpvc_controller\wpvc_admin_controller.php:31
filteradmin_body_classwpvc_controller\wpvc_admin_controller.php:33
filterpost_row_actionswpvc_controller\wpvc_admin_controller.php:38
actioninitwpvc_controller\wpvc_admin_controller.php:40
actionwp_after_admin_bar_renderwpvc_controller\wpvc_contestant_post_controller.php:17
actionadd_meta_boxeswpvc_controller\wpvc_contestant_post_controller.php:23
actionpre_get_postswpvc_controller\wpvc_contestant_post_controller.php:26
filterposts_clauseswpvc_controller\wpvc_contestant_post_controller.php:27
actiontransition_post_statuswpvc_controller\wpvc_email_controller.php:15
filterget_the_excerptwpvc_controller\wpvc_excerpt_controller.php:23
actionrest_api_initwpvc_controller\wpvc_front_rest_register_controller.php:15
filterrest_prepare_contestantswpvc_controller\wpvc_front_rest_register_controller.php:16
filterrest_contestants_collection_paramswpvc_controller\wpvc_front_rest_register_controller.php:17
filterrest_contestants_querywpvc_controller\wpvc_front_rest_register_controller.php:18
actionrest_api_initwpvc_controller\wpvc_rest_register_controller.php:16
filterthe_postswpvc_controller\wpvc_shortcode_controller.php:18
actionwp_enqueue_scriptswpvc_controller\wpvc_shortcode_controller.php:23
filtersingle_templatewpvc_controller\wpvc_shortcode_controller.php:34
actioninitwpvc_controller\wpvc_shortcode_controller.php:36
actionwp_enqueue_scriptswpvc_controller\wpvc_shortcode_controller.php:211
filterpre_set_site_transient_update_pluginswpvc_controller\wpvc_vote_updater.php:26
filterplugins_apiwpvc_controller\wpvc_vote_updater.php:27
actionow_before_single_contentwpvc_model\wpvc_single_contestant_model.php:19
actionow_after_single_contentwpvc_model\wpvc_single_contestant_model.php:20
filtertwentynineteen_can_show_post_thumbnailwpvc_model\wpvc_single_contestant_model.php:23
actionow_before_single_contentwpvc_model\wpvc_single_contestant_model.php:24
actionow_after_single_contentwpvc_model\wpvc_single_contestant_model.php:25
actionow_before_single_contentwpvc_model\wpvc_single_contestant_model.php:28
actionow_after_single_contentwpvc_model\wpvc_single_contestant_model.php:29
actionow_before_single_contentwpvc_model\wpvc_single_contestant_model.php:32
actionow_after_single_contentwpvc_model\wpvc_single_contestant_model.php:33
Maintenance & Trust

WP Voting Contest Lite Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedFeb 27, 2025
PHP min version8.1
Downloads31K

Community Trust

Rating62/100
Number of ratings15
Active installs500
Alternatives

WP Voting Contest Lite Alternatives

Tribulant Gallery Voting

Tribulant Gallery Voting

gallery-voting

A
91

Let users cast votes/likes on your WordPress gallery images/photos.

300 1 CVE
Voting for a Photo

Voting for a Photo

voting-for-a-photo

A
85

Adding a photo vote to the WordPress Gallery

90 No CVEs
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe

contest-gallery

B
76

JPG, PNG, MP4, MP3, PDF, ZIP & more. Create voting & uploading galleries for photos & media. Social Share, User Registration & Sell via PayPal/Stripe.

1K 40 CVEs
Photo Contest | Competition | Video Contest

Photo Contest | Competition | Video Contest

totalcontest-lite

B
73

If you're looking to host a contest or competition on your WordPress website, TotalContest is the perfect plugin for you.

300 1 unpatched
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

instagram-feed

A
98

Formerly "Instagram Feed". Display clean, customizable, and responsive Instagram feeds from multiple accounts. Supports Instagram oEmbeds.

1.0M 4 CVEs
Developer Profile

WP Voting Contest Lite Developer Profile

Matt

1 plugin · 500 total installs

42
trust score
Avg Security Score
47/100
Avg Patch Time
706 days
View full developer profile
Detection Fingerprints

How We Detect WP Voting Contest Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-voting-contest/admin/css/wpvc-admin-styles.css/wp-content/plugins/wp-voting-contest/admin/css/wpvc-form-styles.css/wp-content/plugins/wp-voting-contest/admin/js/wpvc-admin-scripts.js/wp-content/plugins/wp-voting-contest/admin/js/wpvc-form-scripts.js/wp-content/plugins/wp-voting-contest/public/css/wpvc-public-styles.css/wp-content/plugins/wp-voting-contest/public/css/wpvc-gallery-styles.css/wp-content/plugins/wp-voting-contest/public/js/wpvc-public-scripts.js/wp-content/plugins/wp-voting-contest/public/js/wpvc-gallery-scripts.js
Script Paths
/wp-content/plugins/wp-voting-contest/admin/js/wpvc-admin-scripts.js/wp-content/plugins/wp-voting-contest/admin/js/wpvc-form-scripts.js/wp-content/plugins/wp-voting-contest/public/js/wpvc-public-scripts.js/wp-content/plugins/wp-voting-contest/public/js/wpvc-gallery-scripts.js
Version Parameters
wp-voting-contest/admin/css/wpvc-admin-styles.css?ver=wp-voting-contest/admin/css/wpvc-form-styles.css?ver=wp-voting-contest/admin/js/wpvc-admin-scripts.js?ver=wp-voting-contest/admin/js/wpvc-form-scripts.js?ver=wp-voting-contest/public/css/wpvc-public-styles.css?ver=wp-voting-contest/public/css/wpvc-gallery-styles.css?ver=wp-voting-contest/public/js/wpvc-public-scripts.js?ver=wp-voting-contest/public/js/wpvc-gallery-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpvc_contestants_sec_sidebarwpvc_contestests_sidebarwpvc_voting_form_fieldwpvc_contestant_imagewpvc_contestant_namewpvc_contestant_voteswpvc_voting_buttonwpvc_gallery_item+3 more
Data Attributes
data-contestant-iddata-contest-iddata-voting-nonce
JS Globals
wpvc_voting_ajax_objectwpvc_voting_public_script_varswpvc_voting_gallery_script_vars
Shortcode Output
[wpvotingcontest]
FAQ

Frequently Asked Questions about WP Voting Contest Lite