WP-Safety

YOP Poll Security & Risk Analysis

wordpress.org/plugins/yop-poll

Use a full option polling solution to get the answers you need. YOP Poll is the perfect, easy to use poll plugin for your WordPress site.

10K active installs v6.5.40 PHP + WP 3.3+ Updated Feb 16, 2026
create-pollpollpoll-pluginpollswordpress-poll
92
A · Safe
CVEs total14
Unpatched0
Last CVENov 2, 2025
Plugin page Download
Safety Verdict

Is YOP Poll Safe to Use in 2026?

Generally Safe

Score 92/100

YOP Poll has a strong security track record. Known vulnerabilities have been patched promptly.

14 known CVEsLast CVE: Nov 2, 2025Updated 1mo ago
Risk Assessment

The yop-poll plugin v6.5.40 exhibits a mixed security posture. While it demonstrates good practices in many areas, including a high percentage of properly escaped output and SQL queries using prepared statements, several concerning aspects are evident. The static analysis reveals a significant attack surface with 10 unprotected AJAX handlers, which could be exploited to bypass authorization checks. Furthermore, the presence of 2 critical severity taint flows with unsanitized paths indicates potential for severe vulnerabilities if these flows are reachable by attackers. The plugin's vulnerability history is also a notable concern, with 14 known CVEs, including one high severity vulnerability. While there are currently no unpatched vulnerabilities, the recurring pattern of vulnerabilities like missing authorization and cross-site scripting suggests a need for more robust security development lifecycle practices. The plugin's strengths lie in its efforts towards secure coding, but the identified unprotected entry points and taint analysis findings necessitate careful attention.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Known vulnerability history (1 High)
  • Dangerous function (unserialize)
Vulnerabilities
14

YOP Poll Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2017
2017
1 CVE in 2019
2019
2 CVEs in 2020
2020
3 CVEs in 2021
2021
2 CVEs in 2022
2022
2 CVEs in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
13

14 total CVEs

CVE-2025-64370medium · 5.3Missing Authorization

YOP Poll <= 6.5.38 - Missing Authorization

Nov 2, 2025 Patched in 6.5.39 (16d)
CVE-2025-62040high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 6.5.37 - Unauthenticated Stored Cross-Site Scripting

Oct 12, 2025 Patched in 6.5.38 (18d)
CVE-2023-6109medium · 5.3Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

YOP Poll <= 6.5.26 - Race Condition to Vote Manipulation

Nov 13, 2023 Patched in 6.5.27 (71d)
CVE-2023-46611medium · 5.3Guessable CAPTCHA

YOP Poll <= 6.5.28 - Reusable Captcha via validateImage

Oct 24, 2023 Patched in 6.5.29 (91d)
CVE-2022-1600medium · 5.3Protection Mechanism Failure

YOP Poll <= 6.4.2 - IP Spoofing via X-Forwarded-For header

Jul 11, 2022 Patched in 6.4.3 (561d)
CVE-2022-0205medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 6.3.4 - Author+ Stored Cross-Site Scripting

Feb 14, 2022 Patched in 6.3.5 (708d)
CVE-2021-24833medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 6.3.0 - Author+ Stored Cross-Site Scripting via Preview Module

Oct 15, 2021 Patched in 6.3.1 (830d)
CVE-2021-24834medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 6.3.0 - Author+ Stored Cross-Site Scripting via Options Module

Oct 15, 2021 Patched in 6.3.1 (830d)
CVE-2021-24454medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 6.2.7 - Unauthenticated Stored Cross-Site Scripting

Jun 17, 2021 Patched in 6.2.8 (950d)
WF-3e2e8dfb-df74-41b7-9b3b-0f5d7b1c545b-yop-pollmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 6.1.4 - Authenticated Stored Cross-Site Scripting

Apr 24, 2020 Patched in 6.1.5 (1369d)
CVE-2021-24885medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 6.1.1 - Reflected Cross-Site Scripting

Jan 15, 2020 Patched in 6.1.2 (1469d)
CVE-2019-9914medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 6.0.2 - Reflected Cross-Site Scripting via poll_id Parameter

Feb 5, 2019 Patched in 6.0.3 (1813d)
CVE-2017-2127medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 5.8.0 - Reflected Cross-Site Scripting

Mar 23, 2017 Patched in 5.8.1 (2497d)
WF-b33760d8-323a-4d0b-9a54-b84152bd4367-yop-pollmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YOP Poll <= 5.7.3 - Reflected Cross-Site Scripting

Jul 8, 2015 Patched in 5.7.4 (3121d)
Code Analysis
Analyzed Mar 16, 2026

YOP Poll Code Analysis

Dangerous Functions
62
Raw SQL Queries
29
264 prepared
Unescaped Output
54
2061 escaped
Nonce Checks
27
Capability Checks
60
File Operations
6
External Requests
6
Bundled Libraries
0

Dangerous Functions Found

unserialize$plugin_settings_decoded = unserialize( $plugin_settings );admin\admin.php:700
unserialize$vote_data = unserialize( $av->vote_data );admin\admin.php:1362
unserialize$vote_data = unserialize( $vote->vote_data );admin\admin.php:1394
unserialize$vote_data = unserialize( $vote->vote_data );admin\admin.php:1492
unserialize$unserialized_settings = unserialize( $yop_poll_settings );admin\admin.php:1981
unserialize$response = unserialize( $result['body'] );admin\admin.php:2062
unserialize$unserialized_meta = unserialize( $poll->meta_value );admin\inc\ClassYopPollImporter4x.php:132
unserialize$unserialized_a_meta = unserialize( $pA->meta_value );admin\inc\ClassYopPollImporter4x.php:353
unserialize$udata = unserialize( $nc->meta_data );admin\inc\ClassYopPollImporter4x.php:623
unserialize$unserialized_meta = unserialize( $poll->meta_value );admin\inc\ClassYopPollImporter5x.php:73
unserialize$unserialized_q_meta = unserialize( $pQ->meta_value );admin\inc\ClassYopPollImporter5x.php:299
unserialize$unserialized_a_meta = unserialize( $pQA->meta_value );admin\inc\ClassYopPollImporter5x.php:319
unserialize$unserialized_a_meta = unserialize( $pQA->meta_value );admin\inc\ClassYopPollImporter5x.php:412
unserialize$poll_meta_data = unserialize( $poll['meta_data'] );admin\inc\maintenance.php:394
unserialize$element->meta_data = unserialize( $element->meta_data );admin\models\elements.php:220
unserialize$element->meta_data = unserialize( $element->meta_data );admin\models\elements.php:236
unserialize$message = unserialize( $record['vote_message'] );admin\models\logs-list.php:42
unserialize$message = unserialize( $item['vote_message'] );admin\models\logs-list.php:248
unserialize$log_message = unserialize( $row['vote_message'] );admin\models\logs.php:332
unserialize$log_message = unserialize( $row['vote_message'] );admin\models\logs.php:406
unserialize$vote_data = unserialize( $log->vote_data );admin\models\logs.php:531
unserialize$poll_meta = unserialize( $row['meta_data'] );admin\models\polls-list.php:26
unserialize$poll_meta = unserialize( $item['meta_data'] );admin\models\polls-list.php:246
unserialize$poll_meta = unserialize( $item['meta_data'] );admin\models\polls-list.php:262
unserialize$poll_meta_data = unserialize( $poll['meta_data'] );admin\models\polls.php:377
unserialize$db_poll_meta = unserialize( $GLOBALS['wpdb']->get_var( $GLOBALS['wpdb']->prepare( "SELECT `meta_datadmin\models\polls.php:529
unserialize$new_poll_meta_data = unserialize( $cloned_poll->meta_data );admin\models\polls.php:679
unserialize$poll_meta_data = unserialize( $poll['meta_data'] );admin\models\polls.php:1650
unserialize$poll_meta_data = unserialize( $poll['meta_data'] );admin\models\polls.php:1671
unserialize$poll_meta_data = unserialize( $poll->meta_data );admin\models\polls.php:1700
unserialize$poll_meta_data = unserialize( $poll->meta_data );admin\models\polls.php:1728
unserialize$poll->meta_data = unserialize( $poll->meta_data );admin\models\polls.php:1782
unserialize$poll->meta_data = unserialize( $poll->meta_data );admin\models\polls.php:1871
unserializereturn unserialize( $poll[0] );admin\models\polls.php:1899
unserialize$poll_meta_data = unserialize( $poll['meta_data'] );admin\models\polls.php:2254
unserialize$poll->meta_data = unserialize( $poll->meta_data );admin\models\polls.php:2541
unserialize$current_settings_decoded = unserialize( $current_settings );admin\models\settings.php:219
unserialize$current_settings = unserialize( self::get_all_settings() );admin\models\settings.php:298
unserialize$current_settings = unserialize( self::get_all_settings() );admin\models\settings.php:347
unserialize$current_settings = unserialize( self::get_all_settings() );admin\models\settings.php:355
unserialize$current_settings = unserialize( self::get_all_settings() );admin\models\settings.php:360
unserialize$current_settings = unserialize( self::get_all_settings() );admin\models\settings.php:365
unserialize$unserialized_settings = unserialize( $settings );admin\models\settings.php:384
unserialize$unserialized_settings = unserialize( $settings );admin\models\settings.php:393
unserialize$unserialized_settings = unserialize( $settings );admin\models\settings.php:405
unserialize$unserialized_settings = unserialize( $settings );admin\models\settings.php:417
unserialize$unserialized_settings = unserialize( $settings );admin\models\settings.php:426
unserialize$unserialized_settings = unserialize( $settings );admin\models\settings.php:471
unserialize$unserialized_settings = unserialize( $settings );admin\models\settings.php:480
unserialize$current_settings = unserialize( self::get_all_settings() );admin\models\settings.php:879
unserialize$sub_element->meta_data = unserialize( $sub_element->meta_data );admin\models\subelements.php:237
unserialize$sub_element->meta_data = unserialize( $sub_element->meta_data );admin\models\subelements.php:267
unserialize$general_settings = unserialize( YOP_Poll_Settings::get_all_settings() );admin\models\votes.php:800
unserialize$vote_data = unserialize( $vote->vote_data );admin\models\votes.php:1511
unserialize$unserialized_data = unserialize( $vote_data );admin\models\votes.php:1813
unserialize$skin_meta_data = unserialize( $skin->meta_data );admin\views\polls\add\design-predefined-styles.php:36
unserialize$skin_meta_data = unserialize( $skin->meta_data );admin\views\polls\add\design-predefined-styles.php:115
unserialize$skin_meta_data = unserialize( $skin->meta_data );admin\views\polls\edit\design-predefined-styles.php:47
unserialize$skin_meta_data = unserialize( $skin->meta_data );admin\views\polls\edit\design-predefined-styles.php:131
unserialize$plugin_settings_decoded = unserialize( $plugin_settings );public\public.php:31
unserialize$poll->meta_data = unserialize( $poll->meta_data );public\public.php:298
unserialize$poll->meta_data = unserialize( $poll->meta_data );public\public.php:342

SQL Query Safety

90% prepared293 total queries

Output Escaping

97% escaped2115 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

14 flows3 with unsanitized paths
search_box (admin\models\list-table.php:351)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

YOP Poll Attack Surface

Entry Points41
Unprotected10

AJAX Handlers 38

authwp_ajax_create_yop_polladmin\admin.php:23
authwp_ajax_update_yop_polladmin\admin.php:24
authwp_ajax_delete_single_yop_polladmin\admin.php:25
authwp_ajax_delete_bulk_yop_polladmin\admin.php:26
authwp_ajax_clone_single_yop_polladmin\admin.php:27
authwp_ajax_clone_bulk_yop_polladmin\admin.php:28
authwp_ajax_reset_single_yop_polladmin\admin.php:29
authwp_ajax_reset_bulk_yop_polladmin\admin.php:30
authwp_ajax_create_yop_poll_banadmin\admin.php:31
authwp_ajax_delete_yop_poll_banadmin\admin.php:32
authwp_ajax_update_yop_poll_banadmin\admin.php:33
authwp_ajax_delete_bulk_yop_poll_banadmin\admin.php:34
authwp_ajax_delete_yop_poll_logadmin\admin.php:35
authwp_ajax_get_yop_poll_log_detailsadmin\admin.php:36
authwp_ajax_yop_poll_delete_logs_bulkadmin\admin.php:37
authwp_ajax_yop_poll_is_user_logged_inadmin\admin.php:38
authwp_ajax_yop_poll_record_voteadmin\admin.php:39
authwp_ajax_yop_poll_record_wordpress_voteadmin\admin.php:40
authwp_ajax_yop_poll_get_poll_for_frontendadmin\admin.php:41
authwp_ajax_get_yop_poll_votes_customsadmin\admin.php:42
authwp_ajax_yop-poll-get-vote-detailsadmin\admin.php:43
authwp_ajax_yop_poll_delete_voteadmin\admin.php:44
authwp_ajax_yop_poll_delete_votes_bulkadmin\admin.php:45
authwp_ajax_yop_poll_save_settingsadmin\admin.php:46
authwp_ajax_yop_poll-add-votes-manuallyadmin\admin.php:47
authwp_ajax_yop_poll_stop_showing_guideadmin\admin.php:48
authwp_ajax_yop_poll_send_guideadmin\admin.php:49
authwp_ajax_yop_poll_send_deactivation_feedbackadmin\admin.php:50
authwp_ajax_yop_poll_login_useradmin\admin.php:51
authwp_ajax_yop_ajax_migrateadmin\admin.php:57
authwp_ajax_yop_ajax_migrateadmin\admin.php:59
noprivwp_ajax_yop_poll_is_user_logged_inadmin\admin.php:62
noprivwp_ajax_yop_poll_record_voteadmin\admin.php:63
noprivwp_ajax_yop_poll_record_wordpress_voteadmin\admin.php:64
noprivwp_ajax_yop_poll_get_poll_for_frontendadmin\admin.php:65
noprivwp_ajax_yop_poll_login_useradmin\admin.php:66
authwp_ajax_yop_ajax_importadmin\inc\ClassYopPollImporter4x.php:31
authwp_ajax_yop_ajax_importadmin\inc\ClassYopPollImporter5x.php:31

Shortcodes 3

[yop_poll] public\public.php:240
[yop_poll_archive] public\public.php:241
[yop_poll_stats] public\public.php:242
WordPress Hooks 17
filteradmin_titleadmin\admin.php:15
filterclean_urladmin\admin.php:16
filterset-screen-optionadmin\admin.php:17
actionadmin_menuadmin\admin.php:18
actionplugins_loadedadmin\admin.php:19
actionplugins_loadedadmin\admin.php:20
actionadmin_enqueue_scriptsadmin\admin.php:21
actionset_logged_in_cookieadmin\admin.php:22
actionadmin_footeradmin\admin.php:53
filteradmin_footer_textadmin\admin.php:694
actionadmin_footeradmin\models\list-table.php:165
filterscript_loader_tagpublic\public.php:4
actionyop_poll_hourly_eventpublic\public.php:5
actionwp_enqueue_scriptspublic\public.php:6
actioninitpublic\public.php:7
actioninitpublic\public.php:8
actionwidgets_inityop_poll.php:80

Scheduled Events 1

yop_poll_hourly_event
Maintenance & Trust

YOP Poll Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 16, 2026
PHP min version
Downloads1.2M

Community Trust

Rating88/100
Number of ratings448
Active installs10K
Alternatives

YOP Poll Alternatives

Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Poll Maker – Versus Polls, Anonymous Polls, Image Polls

poll-maker

A
88

Poll Maker is a FREE WordPress poll plugin that will let you create customizable and professional online polls and voting for your WordPress website.

7K 23 CVEs
Simple Poll

Simple Poll

smp-simple-poll

A
85

The Simple Poll is a voting poll system into your post, pages and everywhere in website by just a shortcode. Add poll system to your post by placing s &hellip;

10 No CVEs
TS Poll – Survey, Versus Poll, Image Poll, Video Poll

TS Poll – Survey, Versus Poll, Image Poll, Video Poll

poll-wp

C
57

Poll plugin is a responsive and customizable for WordPress. Poll will help you more easily create powerful poll, image & video poll, vote, results.

4K 1 unpatched
Better WordPress Polldaddy Polls

Better WordPress Polldaddy Polls

bwp-polldaddy

A
85

Helps you add Polldaddy Polls to your WordPress website easily.

30 No CVEs
Crowdsignal Forms

Crowdsignal Forms

crowdsignal-forms

B
78

The Crowdsignal Forms plugin allows you to create and manage polls right from within the block editor.

100K 1 unpatched
Developer Profile

YOP Poll Developer Profile

YOP

1 plugin · 10K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
1025 days
View full developer profile
Detection Fingerprints

How We Detect YOP Poll

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about YOP Poll