$_POST['poll_id'] is not escaped properly.

By default it's possible to upload .html files. So we can put XSS there.

Nonce token is not checked inside install_new_favicon() function.

$_GET['cs-msg'] is not escaped.

Example of hash length extension vulnerability

googleapis.com domain is whitelisted by default.

$_GET['vid'] is not escaped.

Every registered user can change livefyre_site_id and livefyre_site_key.