High-severity vulnerability discovered in a Popular Posts plugin makes it possible for attackers to inject arbitrary short codes
An advisory has been issued about a high-severity WordPress vulnerability that makes it possible for attackers to inject arbitrary short codes into sites using the WordPress Popular Posts plugin. Attackers do not need a user account to launch an attack.
WordPress Popular Posts is installed in over 100,000 websites enables websites to display the most popular posts within any given time period and has been translated into sixteen different languages to extend its use around the world. It comes with caching features to improve performance and an admin console that allows website administrators to view popularity statistics.
WordPress Short code Vulnerability
Short codes is a feature that allows users to insert functionalities within a web page by inserting a predefined snippet within brackets that automatically inserts a script that performs a function, like adding a contact form with a short code that looks like this: [add_contact_form].
WordPress is gradually evolving away from the use of short codes in favor of blocks with specific functionalities. The official WordPress developer site encourages plugin and theme developers to discontinue using short codes in favor of dedicated blocks, with the main reason being that it’s a smoother workflow for a user to select and insert a block rather than configure a short code within a plugin then manually inserting the short code into a webpage.
WordPress advises:
“We would recommend people eventually upgrade their short codes to be blocks.”
The vulnerability discovered in the WordPress Popular Posts plugin is due to the implementation of the short code functionality, specifically a part called do_shortcode(), which is a WordPress function for processing and executing short codes that requires input sanitization and other standard WordPress plugin and theme security practices.
“The WordPress Popular Posts’ plugin for WordPress is vulnerable to arbitrary short code execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary short codes.”
That part about “validating a value” generally means checking to ensure that what the user inputs (the “value”), such as the content of a shortcode, is validated to confirm that it’s safe and conforms to expected inputs before being passed along for use by the website.
Official Plugin Changelog
A changelog is the documentation of what’s being updated, which for users of the plugin provides them an opportunity to understand what is being updated and to make decisions about whether to update their installation or not, thus transparency is important.
The WordPress Popular Posts plugin is responsibly transparent in their documentation of the update.
“Fixes a security issue that allows unintended arbitrary short code execution (props to Mike Myers and the Word fence team!)”
Recommended Actions
All versions of the WordPress Popular Posts plugin up to and including version 7.1.0 are vulnerable. Wordfence recommends updating to the latest version of the plugin, 7.2.0.