Last week, I ran a giveaway which, because of a variety of reasons, I had to cancel and declare “null & void”. While I won’t go into the details, I did want to bring some actions to the forefront, especially if you are using the WordPress plugin called “WP-Polls” which is a great plugin that provides users with the ability to vote on questions and tally the results in graphs.
WP-Polls is currently the most popular polling and voting plugin with the WordPress “Extend” section with over 370,000 downloads. It is great for general polling of audiences. You can embed these polls into individual articles, in your sidebar or have them appear automatically in a dedicated page. The developer, LesterChan.net, has developed many great WordPress plugins of varying functionality. WP-Polls is described: “Adds an AJAX poll system to your WordPress blog. You can easily include a poll into your WordPress’s blog post/page. WP-Polls is extremely customizable via templates and css styles and there are tons of options for you to choose to ensure that WP-Polls runs the way you wanted. It now supports multiple selection of answers.“
As this was the most popular voting and polling plugin on WordPress, I thought that it would be good to do the “popular vote” for my computer giveaway. I was very wrong. Using a simply script, WP-Polls can be exploited and voting results can be manipulated. I have all the respect for the developer of this plugin as I regularly use other ones of his. My reasoning for posting this is to ensure that this exploit is highlighted so that the developer can change it and to inform other bloggers about the risks of using it.
I am posting the entire exploit below to bring light to it so that awareness can be spread and the hole can be fixed. This is from a forum post on the Critical Security site. The poster introduces the script:
[click to continue…]
