CVE-2026-24587

Vulnerability

The AJAX Hits Counter + Popular Posts Widget plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) that falls under broken access control. The plugin fails to properly enforce access checks on its AJAX handlers, allowing actions intended for privileged users to be executed by unauthenticated visitors [1]. This issue affects all versions up to and including 0.10.210305.

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the plugin's AJAX endpoints without needing any authentication. Since the plugin lacks nonce verification or capability checks, the attacker can trigger functions that should be restricted to administrators or certain user roles [1]. No special network access or conditions are required beyond the ability to reach the WordPress site.

Impact

Successful exploitation could allow an attacker to manipulate hit counter data, alter popular posts lists, or perform other unauthorized actions depending on the missing authorization checks. This vulnerability is known to be used in mass-exploit campaigns, targeting thousands of websites indiscriminately [1]. The CVSS v3 score is 5.4 (Medium), reflecting the potential for significant but not critical damage.

Mitigation

The plugin vendor has not released a patched version; users are strongly advised to update to the latest available version or disable the plugin if no update is forthcoming. If immediate updating is not possible, consider asking your hosting provider for assistance or implementing additional access controls, such as restricting AJAX endpoints to authenticated users [1].