High-Severity Vulnerability in WordPress Popular Posts Plugin Affects Over 100,000 Websites

A critical security advisory has been issued regarding a vulnerability in the WordPress Popular Posts plugin, which could allow attackers to inject arbitrary shortcodes into affected websites. Alarmingly, the exploit can be executed without the need for a user account, significantly increasing the risk to website owners.

About the WordPress Popular Posts Plugin

The WordPress Popular Posts plugin is a widely used tool with over 100,000 active installations. It allows website administrators to display their most popular content over specific time periods, enhancing user engagement. The plugin supports translations in 16 languages, making it accessible to users worldwide. It also includes caching features to boost performance and an admin console for tracking post popularity statistics.

Understanding the Vulnerability: Shortcodes and Their Risks

Shortcodes are a WordPress feature that simplifies the process of adding functionalities to web pages. For example, inserting [add_contact_form] into a post automatically creates a functional contact form. However, shortcodes rely on the do_shortcode() function, which processes and executes these snippets. If not properly sanitized and validated, this function becomes a security risk.

WordPress has been gradually phasing out shortcodes in favor of blocks, which offer a more user-friendly and secure way to add functionality. Blocks eliminate the need for manual shortcode insertion, making them a preferred option for both developers and users. WordPress encourages developers to transition to blocks for a smoother and safer workflow:

“We would recommend people eventually upgrade their shortcodes to be blocks.”

Details of the Exploit

The vulnerability in the WordPress Popular Posts plugin stems from improper validation of inputs passed to the do_shortcode() function. According to Wordfence, a leading WordPress security company:

"The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode."

In practical terms, this means attackers could exploit the vulnerability to inject malicious shortcodes into a website, potentially leading to unauthorized actions or site compromise.

Transparency and Changelog Updates

The developers of the WordPress Popular Posts plugin have been transparent about the issue. In the plugin’s changelog for version 7.2.0, they acknowledged and credited the discovery of the vulnerability:

"Fixes a security issue that allows unintended arbitrary shortcode execution (props to mikemyers and the Wordfence team!)"

A changelog is a vital tool for users, providing insights into updates and allowing them to make informed decisions about installing updates.

Recommended Actions for Website Owners

To protect their websites, administrators using the WordPress Popular Posts plugin should immediately update to the latest version, 7.2.0. This update resolves the vulnerability by addressing the input validation issue in the do_shortcode() function.

For more details, website owners can refer to the official Wordfence advisory: WordPress Popular Posts <= 7.1.0 – Unauthenticated Arbitrary Shortcode Execution.

Additional Steps to Enhance Security

1. Regular Updates: Keep all plugins, themes, and WordPress core files updated to their latest versions to minimize vulnerabilities.
2. Use Security Plugins: Install a trusted security plugin like Wordfence to monitor and mitigate potential threats.
3. Limit Plugin Usage: Only install plugins from reputable developers and remove those that are no longer maintained.
4. Backups: Maintain regular backups of your website to ensure quick recovery in case of a breach.

By staying vigilant and proactive, website administrators can mitigate risks and ensure their sites remain secure against emerging threats.