Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
An alert has been issued about a high-severity WordPress vulnerability that allows attackers to inject arbitrary shortcodes into websites using the WordPress Popular Posts plugin. Attackers do not need a user account to launch an attack.
Installed on more than 100,000 websites, WordPress Popular Posts allows websites to display the most popular posts within a specific time period and has been translated into sixteen different languages to expand usage worldwide. It comes with caching features to improve performance and an admin console that allows website administrators to view popularity statistics.
WordPress Shortcode Vulnerability
Shortcodes are a feature that allows users to insert functionality within a web page by inserting a predefined snippet inside brackets that automatically inserts a script that performs a function, such as adding a contact form with a shortcode that looks like this: [add_contact_form].
WordPress is gradually moving away from the use of shortcodes in favor of blocks with certain functions. The official WordPress developer site is encouraging plugin and theme developers to move away from using shortcodes in favor of dedicated blocks, the main reason being that it’s easier for the user to select and insert a block rather than configuring a shortcode within a plugin and then inserting it manually. shortcode in website.
WordPress advises:
“We would recommend that people possibly upgrade their shortcodes to be blocks.”
The vulnerability discovered in the WordPress Popular Posts plugin is due to the implementation of the shortcode function, specifically the part called do_shortcode(), which is a WordPress shortcode processing and execution function that requires input sanitization and other standard WordPress plugin and theme security practices.
According to the advice posted by Wordfence:
“The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to and including 7.1.0. This is because the software allows users to perform an action that does not properly validate the value before running do_shortcode. This allows unauthenticated attackers to execute arbitrary shortcodes.”
That part about “value validation” generally means checking that what the user enters (“the value”), such as the content of a shortcode, has been validated to confirm that it is safe and conforms to the expected inputs before it is passed for use website.
The official plugin changelog
The changelog is a documentation of what is being updated, giving plugin users the opportunity to understand what is being updated and to make a decision whether or not to update their installation, so transparency is important.
The WordPress Popular Posts plugin is responsibly transparent in its update documentation.
“Fixes a security issue that allows inadvertent arbitrary shortcode execution (ads to mikemyers and the Wordfence team!)”
Recommended actions
All versions of the WordPress Popular Posts plugin up to and including version 7.1.0 are vulnerable. Wordfence recommends updating to the latest version of the plugin, 7.2.0.
Read the official Wordfence advice:
Popular Posts in WordPress <= 7.1.0 - Unauthorized arbitrary shortcode execution
Featured Image Shutterstock/GrandeDuc
