WordPress WordPress Popular Posts Plugin <= 6.3.2 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

In the WordPress Popular Posts plugin by Hector Cabrera, versions 6.3.2 and earlier, a contributor-level or higher authenticated user can inject arbitrary JavaScript into the plugin's stored data. The wordpress-popular-posts plugin fails to properly sanitize certain post metadata when displaying popular post lists, enabling Stored Cross-Site Scripting (XSS). This vulnerability affects all sites running the plugin up to and including version 6.3.2 [1].

Exploitation

An attacker must have at least a Contributor role on the target WordPress site. No other special network position is required beyond normal web access. The attacker crafts a post containing malicious JavaScript in a metadata field that the plugin renders unsanitized. When the vulnerable plugin renders the popular posts list (e.g., via widget or shortcode), the stored script executes in the browsers of visitors viewing that list. No user interaction beyond visiting the affected page is needed.

Impact

Successful exploitation results in stored cross-site scripting. The attacker can execute arbitrary JavaScript in the context of any user viewing a page that displays the popular posts list. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The attack targets all site visitors, including administrators, potentially allowing privilege escalation if an admin session is compromised.

Mitigation

The vendor has released version 6.3.3 which fixes the vulnerability. Users are strongly advised to update to version 6.3.3 or later immediately. For sites that cannot update, the only workaround is to restrict contributor-level or higher roles to trusted users and disable the popular posts widget until patched. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].