WordPress Popular Posts Plugin Vulnerability Affects +300,000 Sites

NinTechNet discovered an authenticated code injection vulnerability leading to Remote Code Execution (RCE) in the WordPress Popular Posts plugin.

An input validation issue in the WordPress Popular Posts plugin (300K+ active installations) is responsible for remote code execution for versions 5.3.2 and lower.

Users can use this plugin to display the most popular posts on their blog, as well as thumbnails. An administrator with a contributor role or above can bypass file type verification, download, and execute a PHP script from the remote server if thumbnails are set to “Custom field name” and “Resize image from Custom field.”

Upon being notified of the vulnerability on June 3, 2021, the author swiftly patched and released 5.3.3.

If you are using a version of 5.3.2 or lower, you should update now.

Read more:



Version 5.3.3 Updates:

  • This fix resolves a possible XSS vulnerability.
  • Fixes an issue with code injection.
  • Resolves a srcset bug affecting specific PHP locales.
  • It fixes a problem where srcset weren’t loading images when HTTPS and SSL weren’t configured correctly.
  • This update brings ChartJS to version 2.9.4.


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.