• Advisory ID: DRUPAL-SA-CONTRIB-2009-010
  • Project: Plus 1 (third-party module)
  • Version: 6.x
  • Date: 2009 March 18
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site request forgery (CSRF)


The Plus 1 module provides a voting widget for content that records votes using Ajax.

The URL for voting is vulnerable to cross-site request forgeries (CSRF) making it possible for users to unknowingly vote for content.

Versions affected

  • Versions of Plus 1 prior to 6.x-2.6

Drupal core is not affected. If you do not use the contributed Plus 1 module, there is nothing you need to do.


Install the latest version:

See also the Plus 1 project page.

Reported by

Greg Knaddison of the Drupal security team.

Fixed by

Greg Knaddison
Ben Jeavons
Neil Drumm
Caroline Schnapp


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.