WordPress Popular Posts Plugin Vulnerability Affects 100k+ Sites

Jan 5, 2025 | SEO News Feeds | 0 comments

Wordpress Popular Posts Plugin Vulnerability Affects 100k Sites.jpg



SEO Content Writing Service

An advisory has been issued about a high-severity WordPress vulnerability that makes it possible for attackers to inject arbitrary shortcodes into sites using the WordPress Popular Posts plugin. Attackers do not need a user account to launch an attack.

WordPress Popular Posts is installed in over 100,000 websites enables websites to display the most popular posts within any given time period and has been translated into sixteen different languages to extend its use around the world. It comes with caching features to improve performance and an admin console that allows website administrators to view popularity statistics.

WordPress Shortcode Vulnerability

Shortcodes is a feature that allows users to insert functionalities within a web page by inserting a predefined snippet within brackets that automatically inserts a script that performs a function, like adding a contact form with a shortcode that looks like this: [add_contact_form].

WordPress is gradually evolving away from the use of shortcodes in favor of blocks with specific functionalities. The official WordPress developer site encourages plugin and theme developers to discontinue using shortcodes in favor of dedicated blocks, with the main reason being that it’s a smoother workflow for a user to select and insert a block rather than configure a shortcode within a plugin then manually inserting the shortcode into a webpage.

WordPress advises:

“We would recommend people eventually upgrade their shortcodes to be blocks.”

The vulnerability discovered in the WordPress Popular Posts plugin is due to the implementation of the shortcode functionality, specifically a part called do_shortcode(), which is a WordPress function for processing and executing shortcodes that requires input sanitization and other standard WordPress plugin and theme security practices.

According to an advisory published by Wordfence:

“The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.”

That part about “validating a value” generally means checking to ensure that what the user inputs (the “value”), such as the content of a shortcode, is validated to confirm that it’s safe and conforms to expected inputs before being passed along for use by the website.

Official Plugin Changelog

A changelog is the documentation of what’s being updated, which for users of the plugin provides them an opportunity to understand what is being updated and to make decisions about whether to update their installation or not, thus transparency is important.

Attorney Websites For Sale 4ebusiness Media Group

The WordPress Popular Posts plugin is responsibly transparent in their documentation of the update.

The plugin changelog advises:

“Fixes a security issue that allows unintended arbitrary shortcode execution (props to mikemyers and the Wordfence team!)”

Recommended Actions

All versions of the WordPress Popular Posts plugin up to and including version 7.1.0 are vulnerable. Wordfence recommends updating to the latest version of the plugin, 7.2.0.

Read the official Wordfence advisory:

WordPress Popular Posts <= 7.1.0 – Unauthenticated Arbitrary Shortcode Execution

Featured Image by Shutterstock/GrandeDuc

Source link


Anxiety Stress Management

Live a Life of Contentment eBook We all want to be satisfied, even though we know some people who will never be that way, and others who see satisfaction as a foreign emotion that they can’t hope to ever feel.

Newspaper Ads Canyon Crest CA

Click To See Full Page Ads

Click To See Half Page Ads

Click To See Quarter Page Ads

Click To See Business Card Size Ads

If you have questions before you order, give me a call @ 951-235-3518 or email @ canyoncrestnewspaper@gmail.com Like us on Facebook Here

You May Also Like

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Contact Us

Contact Us

Personal Injury Attorney

Websites For Sale Personal Injury Attorneys

Criminal Defense Attorneys

Websites For Sale Criminal Defense Attorney

Bankruptcy Attorneys

Websites For Sale Bankruptcy Attorneys

General Practice Attorneys

Websites For Sale General Practice Attorneys

Family Attorneys

Websites For Sale Family Attorneys

Corporate Attorneys

Websites For Sale Corporate Attorneys

Home Privacy Policy Terms Of Use Anti Spam Policy Contact Us Affiliate Disclosure Amazon Affiliate Disclaimer DMCA Earnings Disclaimer