Does WP Voting Contest Lite have any unpatched vulnerabilities?

Yes — WP Voting Contest Lite currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is WP Voting Contest Lite compatible with WordPress 6.7.5?

According to WordPress.org data, WP Voting Contest Lite 5.8 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is WP Voting Contest Lite compatible with PHP 8.1+?

WP Voting Contest Lite requires PHP 8.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Voting Contest Lite updated?

WP Voting Contest Lite was last updated on Feb 27, 2025. Frequent updates are generally a positive security signal.

What is WP Voting Contest Lite's security score?

WP Voting Contest Lite has a WP-Safety security score of 47/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Voting Contest Lite Security & Risk Analysis

wordpress.org/plugins/wp-voting-contest

Let users cast votes on your images/photos.

500 active installs v5.8 PHP 8.1+ WP 5.0+ Updated Feb 27, 2025

contestgallerylikesphotovoting

D · High Risk

CVEs total3

Unpatched2

Last CVEAug 21, 2025

Plugin page Download

Safety Verdict

Is WP Voting Contest Lite Safe to Use in 2026?

High Risk

Score 47/100

WP Voting Contest Lite carries significant security risk with 3 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

3 known CVEs 2 unpatched Last CVE: Aug 21, 2025Updated 1yr ago

Risk Assessment

The wp-voting-contest plugin version 5.8 exhibits a concerning security posture despite some positive indicators. While the use of prepared statements for all SQL queries and a high percentage of properly escaped output are commendable, these strengths are overshadowed by significant weaknesses. The plugin has a large attack surface, with 25 out of 29 entry points (REST API routes) lacking any permission callbacks, leaving them entirely unprotected. This is a critical flaw that could allow unauthorized users to interact with sensitive plugin functionalities.

The vulnerability history further amplifies these concerns. With 3 known CVEs, 2 of which remain unpatched, and a recent vulnerability in August 2025, the plugin has a pattern of security issues. The common vulnerability types of Missing Authorization and Cross-Site Scripting, which align with the identified lack of authorization checks on REST API routes, suggest recurring security design flaws. The presence of a single unsanitized path in the taint analysis, even if not classified as critical or high, is also a point of concern, as it can be a vector for attacks.

In conclusion, while the plugin demonstrates good practices in data handling with prepared SQL and output escaping, the extensive unprotected attack surface and a history of unpatched vulnerabilities, particularly related to authorization, make it a high-risk component. Users should exercise extreme caution and prioritize patching or migrating away from this plugin.

Key Concerns

Unprotected REST API routes
Unpatched CVEs
Missing Nonce checks
Missing Capability checks
Flows with unsanitized paths

Vulnerabilities

WP Voting Contest Lite Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-60086medium · 5.3Missing Authorization

Voting Contest <= 5.8 - Missing Authorization

Aug 21, 2025Unpatched

CVE-2025-50017medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Voting Contest <= 5.8 - Authenticated (Editor+) Stored Cross-Site Scripting

Jun 19, 2025Unpatched

CVE-2022-0321medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Voting Contest < 3.0 - Reflected Cross-Site Scripting

Feb 16, 2022 Patched in 3.0 (706d)

Code Analysis

Analyzed Mar 16, 2026

WP Voting Contest Lite Code Analysis

Dangerous Functions

Raw SQL Queries

111 prepared

Unescaped Output

224 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared111 total queries

Output Escaping

99% escaped226 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<wpvc_contestant_post_controller> (wpvc_controller\wpvc_contestant_post_controller.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

25 unprotected

WP Voting Contest Lite Attack Surface

Entry Points29

Unprotected25

REST API Routes 25

GET/wp-json/wpvc-voting/v1/wpvcgetshowcontestantwpvc_controller\wpvc_front_rest_register_controller.php:31

GET/wp-json/wpvc-voting/v1/wpvcsubmitentrywpvc_controller\wpvc_front_rest_register_controller.php:42

GET/wp-json/wpvc-voting/v1/wpvcuploadfileswpvc_controller\wpvc_front_rest_register_controller.php:53

GET/wp-json/wpvc-voting/v1/wpvcsavevoteswpvc_controller\wpvc_front_rest_register_controller.php:64

GET/wp-json/wpvc-voting/v1/wpvcsendemailwpvc_controller\wpvc_front_rest_register_controller.php:75

GET/wp-json/wpvc-voting/v1/wpvclogonwpvc_controller\wpvc_front_rest_register_controller.php:86

GET/wp-json/wpvc-voting/v1/wpvcregisterwpvc_controller\wpvc_front_rest_register_controller.php:97

GET/wp-json/wpvc-voting/v1/wpvcgetregisterwpvc_controller\wpvc_front_rest_register_controller.php:108

GET/wp-json/wpvc-voting/v1/wpvcresetpasswordwpvc_controller\wpvc_front_rest_register_controller.php:119

GET/wp-json/wpvc-voting/v1/wpvcdeletecontestantwpvc_controller\wpvc_front_rest_register_controller.php:130

GET/wp-json/wpvc-voting/v1/wpvcsettingfetchwpvc_controller\wpvc_rest_register_controller.php:22

POST/wp-json/wpvc-voting/v1/wpvcupdatesettingwpvc_controller\wpvc_rest_register_controller.php:32

GET/wp-json/wpvc-voting/v1/wpvcvotinglogsfetchwpvc_controller\wpvc_rest_register_controller.php:42

POST/wp-json/wpvc-voting/v1/wpvcvotingdeletewpvc_controller\wpvc_rest_register_controller.php:52

POST/wp-json/wpvc-voting/v1/wpvcvotingmultipledeletewpvc_controller\wpvc_rest_register_controller.php:62

POST/wp-json/wpvc-voting/v1/wpvcmigratecontestantswpvc_controller\wpvc_rest_register_controller.php:72

GET/wp-json/wpvc-voting/v1/wpvccategoryfetchwpvc_controller\wpvc_rest_register_controller.php:83

POST/wp-json/wpvc-voting/v1/wpvccategoryupdatewpvc_controller\wpvc_rest_register_controller.php:93

POST/wp-json/wpvc-voting/v1/wpvccategorydeletewpvc_controller\wpvc_rest_register_controller.php:102

GET/wp-json/wpvc-voting/v1/wpvccustomfieldsfetchwpvc_controller\wpvc_rest_register_controller.php:113

POST/wp-json/wpvc-voting/v1/wpvcupdatecustomfieldwpvc_controller\wpvc_rest_register_controller.php:123

POST/wp-json/wpvc-voting/v1/wpvcassigncustomwpvc_controller\wpvc_rest_register_controller.php:133

POST/wp-json/wpvc-voting/v1/wpvcgetassigncustomwpvc_controller\wpvc_rest_register_controller.php:143

GET/wp-json/wpvc-voting/v1/wpvcgetsitetranslationswpvc_controller\wpvc_rest_register_controller.php:155

POST/wp-json/wpvc-voting/v1/wpvcsavelicensewpvc_controller\wpvc_rest_register_controller.php:167

Shortcodes 4

[showcontestants] wpvc_controller\wpvc_shortcode_controller.php:27

[addcontestants] wpvc_controller\wpvc_shortcode_controller.php:29

[upcomingcontestants] wpvc_controller\wpvc_shortcode_controller.php:31

[endcontestants] wpvc_controller\wpvc_shortcode_controller.php:32

WordPress Hooks 49

actionwp_loadedconfiguration\config.php:117

filterrest_pre_serve_requestconfiguration\config.php:130

actionwp_headconfiguration\helper.php:11

actionafter_setup_themeow_votes.php:28

actioninitow_votes.php:41

actionadmin_initow_votes.php:56

actioninitwpvc_controller\wpvc_admin_controller.php:15

actionadmin_menuwpvc_controller\wpvc_admin_controller.php:16

actionparent_filewpvc_controller\wpvc_admin_controller.php:17

actionadmin_initwpvc_controller\wpvc_admin_controller.php:18

actioncurrent_screenwpvc_controller\wpvc_admin_controller.php:19

actionadmin_enqueue_scriptswpvc_controller\wpvc_admin_controller.php:21

actionadd_meta_boxeswpvc_controller\wpvc_admin_controller.php:23

actionsave_post_contestantswpvc_controller\wpvc_admin_controller.php:24

filteruse_block_editor_for_post_typewpvc_controller\wpvc_admin_controller.php:25

actionadmin_bar_menuwpvc_controller\wpvc_admin_controller.php:27

actionwidgets_initwpvc_controller\wpvc_admin_controller.php:28

actionrestrict_manage_postswpvc_controller\wpvc_admin_controller.php:30

filterparse_querywpvc_controller\wpvc_admin_controller.php:31

filteradmin_body_classwpvc_controller\wpvc_admin_controller.php:33

filterpost_row_actionswpvc_controller\wpvc_admin_controller.php:38

actioninitwpvc_controller\wpvc_admin_controller.php:40

actionwp_after_admin_bar_renderwpvc_controller\wpvc_contestant_post_controller.php:17

actionadd_meta_boxeswpvc_controller\wpvc_contestant_post_controller.php:23

actionpre_get_postswpvc_controller\wpvc_contestant_post_controller.php:26

filterposts_clauseswpvc_controller\wpvc_contestant_post_controller.php:27

actiontransition_post_statuswpvc_controller\wpvc_email_controller.php:15

filterget_the_excerptwpvc_controller\wpvc_excerpt_controller.php:23

actionrest_api_initwpvc_controller\wpvc_front_rest_register_controller.php:15

filterrest_prepare_contestantswpvc_controller\wpvc_front_rest_register_controller.php:16

filterrest_contestants_collection_paramswpvc_controller\wpvc_front_rest_register_controller.php:17

filterrest_contestants_querywpvc_controller\wpvc_front_rest_register_controller.php:18

actionrest_api_initwpvc_controller\wpvc_rest_register_controller.php:16

filterthe_postswpvc_controller\wpvc_shortcode_controller.php:18

actionwp_enqueue_scriptswpvc_controller\wpvc_shortcode_controller.php:23

filtersingle_templatewpvc_controller\wpvc_shortcode_controller.php:34

actioninitwpvc_controller\wpvc_shortcode_controller.php:36

actionwp_enqueue_scriptswpvc_controller\wpvc_shortcode_controller.php:211

filterpre_set_site_transient_update_pluginswpvc_controller\wpvc_vote_updater.php:26

filterplugins_apiwpvc_controller\wpvc_vote_updater.php:27

actionow_before_single_contentwpvc_model\wpvc_single_contestant_model.php:19

actionow_after_single_contentwpvc_model\wpvc_single_contestant_model.php:20

filtertwentynineteen_can_show_post_thumbnailwpvc_model\wpvc_single_contestant_model.php:23

actionow_before_single_contentwpvc_model\wpvc_single_contestant_model.php:24

actionow_after_single_contentwpvc_model\wpvc_single_contestant_model.php:25

actionow_before_single_contentwpvc_model\wpvc_single_contestant_model.php:28

actionow_after_single_contentwpvc_model\wpvc_single_contestant_model.php:29

actionow_before_single_contentwpvc_model\wpvc_single_contestant_model.php:32

actionow_after_single_contentwpvc_model\wpvc_single_contestant_model.php:33

Maintenance & Trust

WP Voting Contest Lite Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedFeb 27, 2025

PHP min version8.1

Downloads31K

Community Trust

Rating62/100

Number of ratings15

Active installs500

Alternatives

WP Voting Contest Lite Alternatives

Tribulant Gallery Voting

gallery-voting

Let users cast votes/likes on your WordPress gallery images/photos.

300 1 CVE

Voting for a Photo

voting-for-a-photo

Adding a photo vote to the WordPress Gallery

90 No CVEs

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe

contest-gallery

JPG, PNG, MP4, MP3, PDF, ZIP & more. Create voting & uploading galleries for photos & media. Social Share, User Registration & Sell via PayPal/Stripe.

1K 33 CVEs

Photo Contest | Competition | Video Contest

totalcontest-lite

If you're looking to host a contest or competition on your WordPress website, TotalContest is the perfect plugin for you.

300 1 CVE

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

instagram-feed

Formerly "Instagram Feed". Display clean, customizable, and responsive Instagram feeds from multiple accounts. Supports Instagram oEmbeds.

1.0M 4 CVEs

Developer Profile

WP Voting Contest Lite Developer Profile

Matt

1 plugin · 500 total installs

trust score

Avg Security Score

47/100

Avg Patch Time

706 days

View full developer profile

Detection Fingerprints

How We Detect WP Voting Contest Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-voting-contest/admin/css/wpvc-admin-styles.css/wp-content/plugins/wp-voting-contest/admin/css/wpvc-form-styles.css/wp-content/plugins/wp-voting-contest/admin/js/wpvc-admin-scripts.js/wp-content/plugins/wp-voting-contest/admin/js/wpvc-form-scripts.js/wp-content/plugins/wp-voting-contest/public/css/wpvc-public-styles.css/wp-content/plugins/wp-voting-contest/public/css/wpvc-gallery-styles.css/wp-content/plugins/wp-voting-contest/public/js/wpvc-public-scripts.js/wp-content/plugins/wp-voting-contest/public/js/wpvc-gallery-scripts.js

Script Paths

/wp-content/plugins/wp-voting-contest/admin/js/wpvc-admin-scripts.js/wp-content/plugins/wp-voting-contest/admin/js/wpvc-form-scripts.js/wp-content/plugins/wp-voting-contest/public/js/wpvc-public-scripts.js/wp-content/plugins/wp-voting-contest/public/js/wpvc-gallery-scripts.js

Version Parameters

wp-voting-contest/admin/css/wpvc-admin-styles.css?ver=wp-voting-contest/admin/css/wpvc-form-styles.css?ver=wp-voting-contest/admin/js/wpvc-admin-scripts.js?ver=wp-voting-contest/admin/js/wpvc-form-scripts.js?ver=wp-voting-contest/public/css/wpvc-public-styles.css?ver=wp-voting-contest/public/css/wpvc-gallery-styles.css?ver=wp-voting-contest/public/js/wpvc-public-scripts.js?ver=wp-voting-contest/public/js/wpvc-gallery-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpvc_contestants_sec_sidebarwpvc_contestests_sidebarwpvc_voting_form_fieldwpvc_contestant_imagewpvc_contestant_namewpvc_contestant_voteswpvc_voting_buttonwpvc_gallery_item+3 more

Data Attributes

data-contestant-iddata-contest-iddata-voting-nonce

JS Globals

wpvc_voting_ajax_objectwpvc_voting_public_script_varswpvc_voting_gallery_script_vars

Shortcode Output

[wpvotingcontest]

FAQ