we have used this plugin for some months now. It is doing a good job on our site and is stable.
I stumbled over two problems today:
- This plugin is vulnerable to integer injections: It does not check the POST data in AJAX requests. It is possible to inject huge (both positive and negative) ratings through the 'stars' parameter.
- Your PHP code does not check the AJAX source IP. It just tells the browser not to allow rating more often than once. This allows an unlimited number of ratings.
Both vulnerabilities allow setting a post's rating to any value. Combining them makes it even easier.