Massive WordPress Flaw Impacts Over 100k Sites

A severe security vulnerability was detected in the WordPress Popular Posts plugin, compromising more than 100,000 sites to an attack exploitation. This high-severity issue allows attackers to inject arbitrary shortcodes without requiring a user account. The plugin, widely used for displaying a site’s most popular posts, is a favorite among WordPress administrators due to its caching features, detailed popularity analytics, and multilingual support.

All About The Shortcode Vulnerability

Shortcodes in WordPress are snippets enclosed in brackets (e.g., [add_contact_form]) that embed functionalities like forms or galleries directly into pages or posts. While this feature simplifies content customization, it requires strict input sanitization to prevent misuse.

The susceptibility in the WordPress Popular Posts plugin stems from improper validation of inputs passed to the do_shortcode() function, a WordPress feature that processes shortcodes. This oversight allows attackers to execute arbitrary shortcodes, which could lead to significant site compromise.

WordPress itself is gradually transitioning away from shortcodes, favoring blocks for enhanced usability and security. Developers are encouraged to adopt blocks for a smoother workflow and to phase out shortcode dependency.

Security Advisory and Plugin Update

The drawback affects all versions of the WordPress Popular Posts plugin up to version 7.1.0. Wordfence, a leading WordPress security provider, issued the advisory, explaining that improper validation in the plugin allows unauthenticated users to exploit the do_shortcode() function.

Validation ensures that user-provided inputs conform to expected formats before processing. Failing to implement such checks can leave plugins exposed to malicious code execution.

Acknowledging the issue, the plugin developers responsibly documented the fix in their changelog, which states:

“Fixes a security issue that allows unintended arbitrary shortcode execution (props to mikemyers and the Wordfence team!).”

The update to version 7.2.0 addresses this vulnerability, securing sites against arbitrary shortcode injections.

Recommended Actions for Website Owners

Website administrators using the WordPress Popular Posts plugin are strongly advised to update to version 7.2.0 immediately. Failure to update leaves websites exposed to potential exploits that could disrupt operations, compromise data, or damage user trust.

Additionally, administrators should regularly review plugin changelogs and adopt security best practices, such as keeping all themes and plugins up-to-date and using firewalls to detect and prevent potential exploits.

Conclusion

The fault in the WordPress Popular Posts plugin reflects the importance of robust input validation and ongoing vigilance in website security. By promptly updating to the latest version and following WordPress security recommendations, you can tackle risks and protect websites from possible attacks.