Forminator < 1.24.1 - Unauthenticated Race Condition on poll vote

The plugin does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.

PoC

1. Create a poll and publish a page with a poll. 2. Visit the page with the poll. 3. Using Burp and the Turbo Intruder extension, intercept the poll submission. 4. Send the request to Turbo Intruder using Action > Extensions > Turbo Intruder > Send to turbo intruder. 5. Drop the initial request and turn Intercept off. 6. In the Turbo Intruder window, add the header S: %s. 7. Use the code examples/race.py. 8. Click “Attack” at the bottom of the window. This will send multiple requests to the server at the exact same moment. 9. Log into the site and visit /wp-admin/admin.php?page=forminator-reports&form;_type=forminator_polls&form;_id=5 (replacing the form_id parameter with a valid one). 10. Notice that more than one submission has been recorded. Note that this cannot be replicated on a single-process, single-threaded WordPress server.