WordPress Popular Posts plugin <= 5.3.3 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Vulnerability

An authenticated persistent cross-site scripting (XSS) vulnerability exists in the WordPress Popular Posts plugin versions up to and including 5.3.3. The flaw is triggered through the widget-wpp[2][post_type] parameter, which does not properly sanitize user-supplied input before being stored and displayed in the admin widgets interface. This allows an attacker with the ability to edit widgets to inject arbitrary HTML and JavaScript [1].

Exploitation

An attacker must have authenticated access to the WordPress admin dashboard with a user role that can edit widgets (e.g., Administrator or Editor). The attacker crafts a payload containing malicious JavaScript, submits it via the vulnerable widget-wpp[2][post_type] parameter, and the payload is stored. When an admin or other user visits the Widgets admin page, the script executes in their browser within the context of the WordPress admin area [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS) in the WordPress admin interface. The attacker can perform actions such as stealing admin session cookies, modifying site settings, creating new admin accounts, or injecting malicious content, effectively gaining full control over the affected WordPress installation [1].

Mitigation

The vulnerability is fixed in version 5.3.4 of the WordPress Popular Posts plugin, released shortly after the disclosure. Users are strongly advised to update to version 5.3.4 or later immediately. This issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].