For our fouth security review of a plugin based on the voting of our customers, we reviewed the plugin Democracy Poll.
If you are not yet a customer of the service you can currently try it free for your first month and then start suggesting and voting on plugins to get security reviews after your first payment for the service. For those already using the service that haven’t already suggested and voted for plugins you can start doing that here.
The review was done on version 5.3.6 of Democracy Poll. We checked for the following issues:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
Lack of protection against unintended direct access of PHP files
We found several issues in the plugin, though none of them likely to lead to a website being hacked. We notified the developer of our findings on February 8, but we have yet to here back from them and no changes have been made to the plugin since then.
Lack of CSRF Protection for Admin Actions
In a number of places in admin section of the plugin it lacks protection against cross-site request forgery (CSRF).
That includes the ability to make various status changes to polls; specifically closing polls, opening polls, activating polls, deactivating polls, and deleting polls.
On the plugin’s admin page when saving the contents of the Settings, Theme Settings, and Texts Changes there is also no protection against CSRF.
CSRF/XSS for Poll Text
The lack of CSRF protection on the Texts Changes can be used to cause cross-site scripting (XSS) because the settings on that page are not sanitized when saved and not escaped when displayed again on that page and on the frontend pages that contain poll text configured there.
Lack of Protection Against Direct Access to Files
In numerous files .php files that look like they are also not intended to be accessed directly are lacking code at the beginning of the file to restrict direct access to the files. In the files we looked over we didn’t see anything that could be exploited due to that.