CVE-2024-11733 Overview
CVE-2024-11733 affects the WordPress Popular Posts plugin in all versions up to and including 7.1.0. The plugin invokes do_shortcode on user-supplied input without proper validation through its REST ViewLoggerEndpoint. Unauthenticated attackers can submit crafted requests that execute arbitrary WordPress shortcodes on the target site. The vulnerability is classified under CWE-94: Improper Control of Generation of Code and carries a CVSS 3.1 score of 7.3. Successful exploitation can lead to information disclosure, content manipulation, and abuse of any shortcode registered by the site, including those exposed by other plugins.
Critical Impact
Unauthenticated remote attackers can execute arbitrary WordPress shortcodes through the plugin's REST view-logging endpoint, enabling code execution paths supplied by other registered shortcodes.
Affected Products
- WordPress Popular Posts plugin versions through 7.1.0
- WordPress sites with the plugin installed and active
- Any plugin or theme registering shortcodes accessible via do_shortcode on the affected site
Discovery Timeline
- 2025-01-03 - CVE CVE-2024-11733 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-11733
Vulnerability Analysis
The WordPress Popular Posts plugin exposes a REST endpoint that records post views. The endpoint accepts client-supplied parameters and passes a value into do_shortcode without sufficient validation. Because do_shortcode parses and executes any registered shortcode found in the supplied string, attackers can inject shortcode syntax that the WordPress core then renders. The flaw is reachable without authentication, which broadens the attacker population to any internet-connected actor.
The impact depends on which shortcodes the target site has registered. Shortcodes commonly expose privileged behavior such as rendering arbitrary post content, embedding remote resources, or invoking plugin logic that bypasses normal request handling. Because shortcode execution occurs in the WordPress request context, attackers can chain this primitive with other plugins to achieve more substantial impact, including data exfiltration or content injection.
Root Cause
The root cause is improper input validation before invoking a dynamic code execution function. The ViewLoggerEndpoint handler in src/Rest/ViewLoggerEndpoint.php passes attacker-controllable data to do_shortcode without restricting allowed values, sanitizing shortcode brackets, or validating that the input represents a legitimate post identifier. This pattern matches CWE-94: Improper Control of Generation of Code.
Attack Vector
The attack is performed remotely over the network against the plugin's REST route. The attacker issues an HTTP request to the view-logger endpoint and supplies shortcode markup in the affected parameter. WordPress processes the shortcode during the request, returning or acting on the rendered output. No authentication, user interaction, or elevated privileges are required.
For technical specifics, see the vulnerable source line in ViewLoggerEndpoint.php and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-11733
Indicators of Compromise
- HTTP requests to /wp-json/wordpress-popular-posts/v*/popular-posts/view/* containing shortcode brackets ([ or %5B) in parameters or body
- Unexpected entries in wp_popularposts* database tables corresponding to non-existent or malformed post IDs
- Web server access logs showing repeated POST requests to the view-logger route from a single source without a preceding page render
- Outbound network connections initiated by PHP workers immediately after requests to the plugin's REST endpoint
Detection Strategies
- Inspect WordPress REST request bodies for shortcode syntax targeting the wordpress-popular-posts namespace
- Correlate REST endpoint hits with subsequent anomalous shortcode-driven behavior such as remote includes or embedded content
- Deploy a Web Application Firewall (WAF) rule that blocks square-bracket payloads in the plugin's view-logger parameters
Monitoring Recommendations
- Enable verbose REST API logging on WordPress and forward logs to a centralized analytics platform
- Monitor PHP error and access logs for do_shortcode invocations with attacker-controlled content
- Alert on first-seen IP addresses issuing POST requests to the WordPress Popular Posts REST routes
How to Mitigate CVE-2024-11733
Immediate Actions Required
- Upgrade the WordPress Popular Posts plugin to a version later than 7.1.0 that addresses CVE-2024-11733
- If a patched version is not yet deployed, deactivate the WordPress Popular Posts plugin until remediation is applied
- Audit installed shortcodes to identify those that could produce high-impact effects when triggered without authentication
Patch Information
Review the plugin source at the WordPress Plugin Trac repository and update to the latest plugin release listed on the WordPress.org plugin directory. Confirm patch availability through the Wordfence Vulnerability Report before deploying.
Workarounds
- Block requests to the WordPress Popular Posts REST routes at the WAF or reverse proxy until the plugin is patched
- Restrict access to /wp-json/wordpress-popular-posts/ to internal IP ranges or authenticated administrators
- Apply a custom mu-plugin filter that rejects requests containing shortcode brackets in the affected parameters
# Example nginx rule to block shortcode payloads against the plugin REST route
location ~* /wp-json/wordpress-popular-posts/ {
if ($request_uri ~* "(\[|%5B)") { return 403; }
if ($request_body ~* "(\[|%5B)") { return 403; }
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
