WordPress Popular Posts Plugin Vulnerability Affects 100k+ Sites via @sejournal, @martinibuster

An advisory has been issued astir a high-severity WordPress vulnerability that makes it imaginable for attackers to inject arbitrary shortcodes into sites utilizing the WordPress Popular Posts plugin. Attackers bash not request a idiosyncratic relationship to motorboat an attack.

WordPress Popular Posts is installed successful implicit 100,000 websites enables websites to show the astir fashionable posts wrong immoderate fixed clip play and has been translated into sixteen antithetic languages to widen its usage astir the world. It comes with caching features to amended show and an admin console that allows website administrators to presumption popularity statistics.

WordPress Shortcode Vulnerability

Shortcodes is simply a diagnostic that allows users to insert functionalities wrong a web leafage by inserting a predefined snippet wrong brackets that automatically inserts a publication that performs a function, similar adding a interaction signifier with a shortcode that looks similar this: [add_contact_form].

WordPress is gradually evolving distant from the usage of shortcodes successful favour of blocks with circumstantial functionalities. The authoritative WordPress developer tract encourages plugin and taxable developers to discontinue utilizing shortcodes successful favour of dedicated blocks, with the main crushed being that it’s a smoother workflow for a idiosyncratic to prime and insert a artifact alternatively than configure a shortcode wrong a plugin past manually inserting the shortcode into a webpage.

WordPress advises:

“We would urge radical yet upgrade their shortcodes to beryllium blocks.”

The vulnerability discovered successful the WordPress Popular Posts plugin is owed to the implementation of the shortcode functionality, specifically a portion called do_shortcode(), which is simply a WordPress relation for processing and executing shortcodes that requires input sanitization and different modular WordPress plugin and taxable information practices.

According to an advisory published by Wordfence:

“The WordPress Popular Posts plugin for WordPress is susceptible to arbitrary shortcode execution successful each versions up to, and including, 7.1.0. This is owed to the bundle allowing users to execute an enactment that does not decently validate a worth earlier moving do_shortcode. This makes it imaginable for unauthenticated attackers to execute arbitrary shortcodes.”

That portion astir “validating a value” mostly means checking to guarantee that what the idiosyncratic inputs (the “value”), specified arsenic the contented of a shortcode, is validated to corroborate that it’s harmless and conforms to expected inputs earlier being passed on for usage by the website.

Official Plugin Changelog

A changelog is the documentation of what’s being updated, which for users of the plugin provides them an accidental to recognize what is being updated and to marque decisions astir whether to update their installation oregon not, frankincense transparency is important.

The WordPress Popular Posts plugin is responsibly transparent successful their documentation of the update.

The plugin changelog advises:

“Fixes a information contented that allows unintended arbitrary shortcode execution (props to mikemyers and the Wordfence team!)”

Recommended Actions

All versions of the WordPress Popular Posts plugin up to and including mentation 7.1.0 are vulnerable. Wordfence recommends updating to the latest mentation of the plugin, 7.2.0.

Read the authoritative Wordfence advisory:

WordPress Popular Posts <= 7.1.0 – Unauthenticated Arbitrary Shortcode Execution

Featured Image by Shutterstock/GrandeDuc

SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com

I person 25 years hands-on acquisition successful SEO, evolving on with the hunt engines by keeping up with the latest ...