WordPress Plugin Vulnerability Report – WordPress Popular Posts – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Plugin Name: WordPress Popular Posts

Key Information:

  • Software Type: Plugin
  • Software Slug: wordpress-popular-posts
  • Software Status: Active
  • Software Author: hcabrera
  • Software Downloads: 7,045,880
  • Active Installs: 200,000
  • Last Updated: October 6, 2023
  • Patched Versions: <=6.3.2
  • Affected Versions: 6.3.3

Vulnerability Details:

  • Name: WordPress Popular Posts <= 6.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: October 6, 2023
  • Description: The WordPress Popular Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 6.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The WordPress Popular Posts plugin for WordPress has a vulnerability in versions up to and including 6.3.3 that allows authenticated users with Contributor+ level access to inject arbitrary JavaScript payloads into pages and posts. This vulnerability has been patched in version <=6.3.2.

Detailed Overview:

In WordPress Popular Posts versions up to and including 6.3.3, the plugin's shortcode feature insufficiently sanitizes user input, allowing authenticated users with Contributor or higher level access to inject arbitrary JavaScript payloads into posts and pages. When users visit a page or post containing the injected payload, the JavaScript will execute in their browsers. This exposes site visitors to a range of Cross-Site Scripting attacks depending on the payload injected. Site owners are strongly encouraged to update to version <=6.3.2 which contains protections against this vulnerability. Failing to patch this vulnerability risks exposing site visitors to compromise of their accounts, data exfiltration, or other attacks leveraging XSS vulnerabilities.

Advice for Users:

  1. Immediate Action: Update to version <=6.3.2 as soon as possible.
  2. Check for Signs of Vulnerability: Review page and post content for unexpected JavaScript or iframes which could signal exploitation of this vulnerability.
  3. Alternate Plugins: Consider using alternate plugins for popular post functionality like Simple Most Popular Posts as a precaution.
  4. Stay Updated: Always keep plugins updated and review changelogs to ensure you are running non-vulnerable versions.


This vulnerability demonstrates the importance of keeping WordPress and installed plugins updated to avoid compromises. Users should install version <=6.3.2 or later immediately to prevent exploitation of this issue on their sites.




Detailed Report:

Keeping your WordPress website and its plugins up-to-date is critical for security. Unfortunately, many site owners fail to regularly update and patch vulnerabilities in WordPress core, themes and plugins. These unpatched bugs leave sites open to compromise by hackers exploiting known flaws. This was demonstrated again recently with the disclosure of a cross-site scripting vulnerability in a popular WordPress plugin, WordPress Popular Posts. In this article, we’ll break down this newly disclosed vulnerability, assess the risks it poses for affected sites, and offer solutions WordPress site owners can implement to detect and remediate any impact. We’ll also provide some best practices for keeping your WordPress site updated to avoid future vulnerabilities. Don’t leave your site at risk unnecessarily - take action today to lock it down.

About the Vulnerable Plugin

WordPress Popular Posts is a widely used plugin with over 7 million downloads and 200,000 active installs. It allows site owners to display their most popular content. The plugin is actively maintained by developer hcabrera.

Vulnerability Details

Researchers disclosed a cross-site scripting (XSS) vulnerability impacting WordPress Popular Posts versions up to and including 6.3.3. This vulnerability allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript payloads into posts and pages. The plugin insufficiently sanitizes user input, enabling the XSS attack. When vulnerable pages/posts are viewed, the injected malicious JavaScript will execute in site visitors' browsers.

This gives attackers significant power to compromise site visitors, steal their data or accounts, or distribute malware. The vulnerability is rated Medium severity with a CVSS score of 6.4. It has been patched in version <=6.3.2.

Risks and Potential Impacts

This vulnerability poses serious risks if left unpatched:

  • Account takeover of admin accounts via session hijacking or passwords stolen through keylogging
  • Injection of iframes to distribute malware or unwanted advertising
  • Theft of sensitive user data via data exfiltration attacks
  • Defacement and reputation damage from offensive scripts

Attackers could leverage compromised visitor accounts to further exploit vulnerabilities and escalate access.

How to Detect and Remediate

  1. Update to the patched release, <=6.3.2, immediately.
  2. Review page content for unexpected JavaScript/iframes indicating exploitation.
  3. Consider alternative plugins like Simple Most Popular Posts.
  4. Sign up for automatic plugin updates to avoid missing new releases.

History of Vulnerabilities

WordPress Popular Posts has had 5 previous vulnerabilities disclosed since June 2021, indicating a history of security issues. This reinforces the need to keep on top of plugin updates and changelogs.

The Importance of Staying Updated

This vulnerability underscores the absolutely critical need to keep your WordPress site and all plugins updated in a timely manner. Set up automatic background updates for the core platform and plugins. Review changelogs whenever updates are released. Sign up for security notification services that disclose vulnerabilities.

As a small business owner without dedicated IT staff, you may not have time to constantly monitor for security issues yourself. Consider leveraging specialized WordPress hosting providers that offer layers of security like auto-updates, malware detection, firewalls and 24/7 monitoring to protect your site. The cost is negligible compared to the damage from a hacked website.

Need a Helping Hand?

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain, and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report – WordPress Popular Posts – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode FAQs

Leave a Comment