NinTechNet discovered an authenticated code injection vulnerability leading to Remote Code Execution (RCE) in the WordPress Popular Posts plugin.
An input validation issue in the WordPress Popular Posts plugin (300K+ active installations) is responsible for remote code execution for versions 5.3.2 and lower.
Users can use this plugin to display the most popular posts on their blog, as well as thumbnails. An administrator with a contributor role or above can bypass file type verification, download, and execute a PHP script from the remote server if thumbnails are set to “Custom field name” and “Resize image from Custom field.”
Upon being notified of the vulnerability on June 3, 2021, the author swiftly patched and released 5.3.3.
If you are using a version of 5.3.2 or lower, you should update now.
- Morningscore Review – Is it the best All-In-One SEO Tool?
- WordPress will support WebP Images.
- Wishpond Discount – Must-Have for Each Marketer.
Version 5.3.3 Updates:
- This fix resolves a possible XSS vulnerability.
- Fixes an issue with code injection.
- Resolves a srcset bug affecting specific PHP locales.
- It fixes a problem where srcset weren’t loading images when HTTPS and SSL weren’t configured correctly.
- This update brings ChartJS to version 2.9.4.