WordPress Popular Posts <= 5.3.2 Authenticated Arbitrary File Upload
Description
WordPress Popular Posts plugin up to 5.3.2 allows authenticated users with contributor role to upload arbitrary files via insufficient validation in Image.php, leading to RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Popular Posts plugin up to 5.3.2 allows authenticated users with contributor role to upload arbitrary files via insufficient validation in Image.php, leading to RCE.
Vulnerability
The WordPress Popular Posts plugin versions up to and including 5.3.2 contain an arbitrary file upload vulnerability in the ~/src/Image.php file. The fetch_external_image() method does not properly validate the file type of a remote URL when thumbnail settings are configured to 'Custom field name' and 'Resize image from Custom field' (these are not default settings). An attacker can supply a URL pointing to a PHP file, which the plugin will download and save with a .php extension, bypassing the intended image-only restriction [1][3][4].
Exploitation
An attacker must have at least a Contributor-level account on a WordPress site with the affected plugin installed and the specific thumbnail settings enabled (Custom field name and Resize image from Custom field). The attacker sets the custom field value to a URL containing a malicious PHP script (e.g., a web shell). When the plugin processes the post thumbnail, it fetches the remote file and stores it in the WordPress uploads directory under a predictable path. The attacker can then access the uploaded PHP file to execute arbitrary commands [4].
Impact
Successful exploitation allows authenticated attackers to achieve Remote Code Execution (RCE) on the web server, typically with the privileges of the web server user. This can lead to full site compromise, including data theft, backdoor installation, and site defacement [4].
Mitigation
The vulnerability was fixed in version 5.3.3, released on 2021-06-07. Users are strongly advised to update to version 5.3.3 or later. No workarounds are available for users unable to update; the vulnerable feature can be mitigated by avoiding the 'Custom field name' and 'Resize image from Custom field' settings [1][4].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=5.3.2
- WordPress Popular Posts/WordPress Popular Postsv5Range: 0.0
Patches
2d9b274cf6812Image: verifies that URLs are images
1 file changed · +12 −0
src/Image.php+12 −0 modified@@ -624,6 +624,9 @@ private function get_attachment_id($url) */ private function fetch_external_image($id, $url) { + if ( ! $this->is_image_url($url) ) + return false; + $full_image_path = trailingslashit($this->get_plugin_uploads_dir()['basedir']) . "{$id}_" . sanitize_file_name(rawurldecode(wp_basename($url))); // if the file exists already, return URL and path @@ -932,6 +935,15 @@ private function is_image_url($url) if ( ! filter_var($parse_url, FILTER_VALIDATE_URL) ) return false; + // Check extension + $file_name = basename($path); + $file_name = sanitize_file_name($file_name); + $ext = strtolower(pathinfo($file_name, PATHINFO_EXTENSION)); + $allowed_ext = ['jpg', 'jpeg', 'png', 'gif']; + + if ( ! in_array($ext, $allowed_ext) ) + return false; + // sanitize URL, just in case $image_url = esc_url($url); // remove querystring
r2542638Vulnerability mechanics
Root cause
"The plugin fails to properly validate uploaded file types, allowing arbitrary file uploads."
Attack vector
An attacker with contributor-level access or above can upload a malicious file by exploiting insufficient input file type validation in the `~/src/Image.php` file. This allows the attacker to upload files that can lead to remote code execution on the server. The vulnerability is present in versions up to and including 5.3.2 [ref_id=1].
Affected code
The vulnerability resides in the `~/src/Image.php` file within the WordPress Popular Posts plugin. Specifically, the logic handling image uploads and processing is affected, allowing for the bypass of intended file type restrictions.
What the fix does
The patch modifies the `Image.php` file to include stricter validation for uploaded file types. By ensuring that only permitted image file types are processed, the vulnerability that allowed arbitrary file uploads is mitigated, preventing potential remote code execution.
Preconditions
- authAttacker must have contributor-level access or above.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/cabrerahector/wordpress-popular-posts/commit/d9b274cf6812eb446e4103cb18f69897ec6fe601mitrepatch
- packetstormsecurity.com/files/165376/WordPress-Popular-Posts-5.3.2-Remote-Code-Execution.htmlmitrex_refsource_MISC
- blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/mitrex_refsource_MISC
- plugins.trac.wordpress.org/changeset/2542638/wordpress-popular-posts/trunk/src/Image.phpmitrex_refsource_MISC
- wpscan.com/vulnerability/bd4f157c-a3d7-4535-a587-0102ba4e3009mitrex_refsource_MISC
- www.wordfence.com/vulnerability-advisories/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.