1 day ago
3
High-severity vulnerability discovered in a Popular Posts plugin makes it possible for attackers to inject arbitrary shortcodes
An advisory has been issued about a high-severity WordPress vulnerability that makes it possible for attackers to inject arbitrary shortcodes into sites using the WordPress Popular Posts plugin. Attackers do not need a user account to launch an attack.
WordPress Popular Posts is installed in over 100,000 websites enables websites to display the most popular posts within any given time period and has been translated into sixteen different languages to extend its use around the world. It comes with caching features to improve performance and an admin console that allows website administrators to view popularity statistics.
WordPress Shortcode Vulnerability
Shortcodes is a feature that allows users to insert functionalities within a web page by inserting a predefined snippet within brackets that automatically inserts a script that performs a function, like adding a contact form with a shortcode that looks like this: [add_contact_form].
WordPress is gradually evolving away from the use of shortcodes in favor of blocks with specific functionalities. The official WordPress developer site encourages plugin and theme developers to discontinue using shortcodes in favor of dedicated blocks, with the main reason being that it’s a smoother workflow for a user to select and insert a block rather than configure a shortcode within a plugin then manually inserting the shortcode into a webpage.
WordPress advises:
“We would recommend people eventually upgrade their shortcodes to be blocks.”
The vulnerability discovered in the WordPress Popular Posts plugin is due to the implementation of the shortcode functionality, specifically a part called do_shortcode(), which is a WordPress function for processing and executing shortcodes that requires input sanitization and other standard WordPress plugin and theme security practices.
According to an advisory published by Wordfence:
“The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.”
That part about “validating a value” generally means checking to ensure that what the user inputs (the “value”), such as the content of a shortcode, is validated to confirm that it’s safe and conforms to expected inputs before being passed along for use by the website.
Official Plugin Changelog
A changelog is the documentation of what’s being updated, which for users of the plugin provides them an opportunity to understand what is being updated and to make decisions about whether to update their installation or not, thus transparency is important.
The WordPress Popular Posts plugin is responsibly transparent in their documentation of the update.
The plugin changelog advises:
“Fixes a security issue that allows unintended arbitrary shortcode execution (props to mikemyers and the Wordfence team!)”
Recommended Actions
All versions of the WordPress Popular Posts plugin up to and including version 7.1.0 are vulnerable. Wordfence recommends updating to the latest version of the plugin, 7.2.0.
Read the official Wordfence advisory:
WordPress Popular Posts <= 7.1.0 – Unauthenticated Arbitrary Shortcode Execution
Featured Image by Shutterstock/GrandeDuc
SEJ STAFF Roger Montti Owner - Martinibuster.com at Martinibuster.com
I have 25 years hands-on experience in SEO, evolving along with the search engines by keeping up with the latest ...
)
English (US) ·