I came across an interesting point that outlines that dangers of using $_SERVER variables to submit form, a practice that’s pretty common in WordPress plugins. The problem is that it opens the form up to be used for cross-site scripting (XSS) exploits. The post even has a couple of examples demonstrating how the exploits could be put together; examples that you can use to test your own code.
It’s important to know about these exploits and how they work. Ignoring them when writing code is a bit like putting cardboard displays in front of a crumbling building. It may look pretty from the outside, but you’re building something that is putting other people at risk.
So, read the post here.

