CVE-2024-11733

Vulnerability

The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to and including 7.1.0. The flaw exists in the get_views_count() method within src/Rest/ViewLoggerEndpoint.php (line 70) [1]. The time_quantity parameter is not validated before being concatenated into a shortcode string that is then processed by do_shortcode, allowing injection of arbitrary shortcodes.

Exploitation

An unauthenticated attacker can trigger this by sending a crafted REST API request to the /wordpress-popular-posts/v1/views/{id} endpoint, which has permission_callback => '__return_true' [1], making it publicly accessible. By providing a malicious time_quantity parameter containing additional shortcode syntax, the attacker can execute arbitrary WordPress shortcodes.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary WordPress shortcodes. Depending on the installed plugins and themes, this can lead to various impacts including data theft, file deletion, or remote code execution. The attacker does not require any prior authentication or user interaction.

Mitigation

Users should update to version 7.2.0 or later, which fixes the vulnerability. No workaround is available. The plugin is actively maintained, and the vendor has released a patched version.