`FrmFormsController

Prevent username enumeration

$whereClause and $whereClauseT and $whereClauseW and $whereClause2W are not escaped.

Inside almost all wp_ajax function there is no privilege check.

Every registered user can access plugin admin interface.

$_POST['poll_id'] is not escaped properly.

By default it's possible to upload .html files. So we can put XSS there.

Nonce token is not checked inside install_new_favicon() function.