PT-2022-26930 · WordPress · Wordpress Popular Posts

Name of the Vulnerable Software and Affected Versions: WordPress Popular Posts versions 6.0.5 and earlier Description: The issue allows external initialization of trusted variables or data stores, enabling the acceptance of untrusted external inputs to update internal variables. This can lead to...

WordPress Plugin "WordPress Popular Posts" accepts untrusted external inputs to update certain internal variables

Overview WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera accepts untrusted external inputs to update certain internal variables CWE-454. Tsubasa Iinuma of Origami Systems reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...

Google’s Threat Horizons report: Will the straightforward approach get results?

Google’s Cybersecurity Action Team has released a Threat Horizons report focusing on cloud security. It’s taken some criticism for being surprisingly straightforward and less complex than you may expect. On the other hand, many businesses simply don’t understand many of the threats at large...

Page View Counts < 2.4.9 - Contributor+ Stored XSS

The plugin does not escape the postid parameter of pvcstats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege user...

Page View Counts < 2.4.9 - Contributor+ Stored XSS

The plugin does not escape the postid parameter of pvcstats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege user...