WP-Safety

WebberZone Top 10 — Popular Posts Security & Risk Analysis

wordpress.org/plugins/top-10

Track post views and page views, and display popular posts and trending content on your WordPress site.

20K active installs v4.2.1 PHP 7.4+ WP 6.6+ Updated Feb 21, 2026
most-viewed-postspage-viewspopular-postspopular-posts-widgetpost-views
94
A · Safe
CVEs total10
Unpatched0
Last CVEMay 7, 2025
Plugin page Download
Safety Verdict

Is WebberZone Top 10 — Popular Posts Safe to Use in 2026?

Generally Safe

Score 94/100

WebberZone Top 10 — Popular Posts has a strong security track record. Known vulnerabilities have been patched promptly.

10 known CVEsLast CVE: May 7, 2025Updated 1mo ago
Risk Assessment

The 'top-10' plugin v4.2.1 demonstrates a generally strong security posture with a significant majority of SQL queries utilizing prepared statements and a high percentage of properly escaped output. The static analysis shows a robust implementation of security checks, with all identified entry points (AJAX handlers, REST API routes, shortcodes, cron events) protected by authentication or permission callbacks. The absence of dangerous functions and critical or high severity taint flows further contributes to this positive assessment.

However, a notable concern arises from the plugin's historical vulnerability data, which indicates a pattern of past security issues, including Cross-site Scripting (XSS), Missing Authorization, Cross-Site Request Forgery (CSRF), and SQL Injection. While there are currently no unpatched CVEs, the sheer volume and variety of past vulnerabilities (10 total) suggest a recurring need for rigorous security auditing and prompt patching. The presence of 3 flows with unsanitized paths, although not classified as critical or high severity in the current analysis, warrants attention as potential precursors to future vulnerabilities, especially given the plugin's history.

In conclusion, the 'top-10' plugin v4.2.1 has made strides in implementing secure coding practices, particularly in its handling of SQL and output. Nevertheless, its history of past vulnerabilities should not be overlooked. Continuous monitoring and timely updates remain crucial to mitigate the risks stemming from its past security incidents and to ensure the ongoing integrity of sites using this plugin.

Key Concerns

  • History of 10 CVEs (1 high, 9 medium)
  • 3 flows with unsanitized paths
  • Bundled Freemius v1.0 (outdated library likely)
Vulnerabilities
10

WebberZone Top 10 — Popular Posts Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
1 CVE in 2017
2017
1 CVE in 2020
2020
1 CVE in 2022
2022
5 CVEs in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
9

10 total CVEs

CVE-2025-47509medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Top 10 <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 7, 2025 Patched in 4.1.1 (7d)
CVE-2023-47238medium · 4.3Cross-Site Request Forgery (CSRF)

Top 10 <= 3.3.2 - Cross-Site Request Forgery via edit_count_ajax

Nov 3, 2023 Patched in 3.3.3 (278d)
WF-cbff7ec1-535d-43bf-be61-83a1e7625c77-top-10medium · 4.3Missing Authorization

Top 10 – Popular posts plugin for WordPress <= 3.2.4 - Missing Authorization on tptn_chart_data

Feb 22, 2023 Patched in 3.2.5 (335d)
CVE-2023-26008medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Top 10 – Popular posts plugin - <= 3.2.4 - Authenticated(Admin+) Stored Cross-Site Scripting

Feb 22, 2023 Patched in 3.2.5 (335d)
CVE-2023-25993medium · 4.3Missing Authorization

Top 10 – Popular posts plugin for WordPress <= 3.2.3 - Missing Authorization on tptn_ajax_clearcache

Feb 20, 2023 Patched in 3.2.4 (337d)
WF-5c7edfad-b45b-4297-876d-a063e02af0bf-top-10medium · 4.3Cross-Site Request Forgery (CSRF)

Top 10 – Popular posts plugin for WordPress <= 3.2.3 - Cross-Site Request Forgery via tptn_ajax_clearcache

Feb 20, 2023 Patched in 3.2.4 (337d)
CVE-2022-4570medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Top 10 – Popular posts plugin for WordPress <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Blocks

Dec 29, 2022 Patched in 3.2.3 (390d)
CVE-2020-36761medium · 4.3Cross-Site Request Forgery (CSRF)

Top 10 <= 2.9.4 - Cross-Site Request Forgery Bypass

Sep 16, 2020 Patched in 2.9.5 (1224d)
WF-9b320755-1255-4331-8176-ee67d8d4873e-top-10high · 7.4Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Top 10 – Popular posts plugin for WordPress <= 2.4.3 - SQL Injection

Dec 13, 2017 Patched in 2.4.4 (2232d)
WF-81437db2-252e-4031-884e-34112bc7b179-top-10medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Top 10 – Popular posts plugin for WordPress < 2.3.1 - Cross-Site Scripting

Jul 15, 2016 Patched in 2.3.1 (2748d)
Code Analysis
Analyzed Mar 16, 2026

WebberZone Top 10 — Popular Posts Code Analysis

Dangerous Functions
0
Raw SQL Queries
31
118 prepared
Unescaped Output
62
611 escaped
Nonce Checks
22
Capability Checks
35
File Operations
3
External Requests
1
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

79% prepared149 total queries

Output Escaping

91% escaped673 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

20 flows3 with unsanitized paths
extra_tablenav (includes\admin\class-statistics-table.php:595)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WebberZone Top 10 — Popular Posts Attack Surface

Entry Points7
Unprotected0

AJAX Handlers 5

authwp_ajax_tptn_chart_dataincludes\admin\class-dashboard.php:42
authwp_ajax_top_ten_import_wppincludes\admin\class-wpp-importer.php:33
authwp_ajax_tptn_tags_searchincludes\options-api.php:353
authwp_ajax_wz_tags_searchincludes\wz-pluggables.php:216
noprivwp_ajax_wz_tags_searchincludes\wz-pluggables.php:217

Shortcodes 2

[tptn_list] includes\frontend\class-shortcodes.php:27
[tptn_views] includes\frontend\class-shortcodes.php:28
WordPress Hooks 32
filterwp_dashboard_setupincludes\admin\class-dashboard-widgets.php:29
filterwp_network_dashboard_setupincludes\admin\class-dashboard-widgets.php:30
actionadmin_menuincludes\admin\class-dashboard.php:39
actionnetwork_admin_menuincludes\admin\class-dashboard.php:40
actionadmin_enqueue_scriptsincludes\admin\class-dashboard.php:41
actiontptn_activateincludes\admin\class-settings-wizard.php:56
actionadmin_initincludes\admin\class-settings-wizard.php:57
actiontptn_admin_import_export_tab_contentincludes\admin\class-wpp-importer.php:32
actionadmin_post_top_ten_import_wppincludes\admin\class-wpp-importer.php:34
actionadmin_enqueue_scriptsincludes\admin\network\class-admin.php:66
filterset-screen-optionincludes\admin\network\class-statistics.php:43
actionnetwork_admin_menuincludes\admin\network\class-statistics.php:44
actionadmin_enqueue_scriptsincludes\admin\network\class-statistics.php:45
actionadmin_enqueue_scriptsincludes\admin\settings\class-metabox-api.php:98
actionadd_meta_boxesincludes\admin\settings\class-metabox-api.php:99
actionadmin_menuincludes\admin\settings\class-settings-api.php:178
actionadmin_initincludes\admin\settings\class-settings-api.php:179
filteradmin_footer_textincludes\admin\settings\class-settings-api.php:180
actionadmin_enqueue_scriptsincludes\admin\settings\class-settings-api.php:181
filteradmin_body_classincludes\admin\settings\class-settings-api.php:182
actionadmin_menuincludes\admin\settings\class-settings-wizard-api.php:180
actionadmin_initincludes\admin\settings\class-settings-wizard-api.php:181
actionadmin_enqueue_scriptsincludes\admin\settings\class-settings-wizard-api.php:182
actionadmin_headincludes\admin\settings\class-settings-wizard-api.php:242
actioninitincludes\class-main.php:171
actionswitch_blogincludes\frontend\class-display.php:164
filtercron_schedulesincludes\wz-pluggables.php:36
filterplugin_iconload-freemius.php:48
filterafter_uninstallload-freemius.php:49
actionactivated_plugintop-10.php:127
actionadmin_noticestop-10.php:132
actionplugins_loadedtop-10.php:193

Scheduled Events 2

tptn_cron_hook
tptn_cron_hook
Maintenance & Trust

WebberZone Top 10 — Popular Posts Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 21, 2026
PHP min version7.4
Downloads1.2M

Community Trust

Rating92/100
Number of ratings100
Active installs20K
Alternatives

WebberZone Top 10 — Popular Posts Alternatives

WP Most Popular

WP Most Popular

wp-most-popular

A
85

WP Most Popular is a simple plugin which tracks your most popular blog posts based on views and lets you display them in your theme or blog sidebar.

2K No CVEs
Simple Post View Counter – Clean and Fast Post View Analytics

Simple Post View Counter – Clean and Fast Post View Analytics

simple-post-view-counter

A
100

Lightweight post view counter with a widget and shortcodes. Track post views automatically, stop double-counting, and display popular content easily.

20 No CVEs
WP-xPerts Popular Posts

WP-xPerts Popular Posts

wp-xperts-popular-posts

A
100

Display Most popular posts or most viewed posts on your blog using widget in sidebar, it also supports custom post types

10 No CVEs
Trending/Popular Post Slider and Widget

Trending/Popular Post Slider and Widget

wp-trending-post-slider-and-widget

A
100

A quick, easy way to add Popular/Trending posts slider, grid block and widget. Also work with Gutenberg shortcode block.

2K 1 CVE
WP Views Counter

WP Views Counter

wpecounter

A
98

Fast, lightweight post views counter. Display views in admin, blocks or shortcodes — no tracking scripts required.

2K 2 CVEs
Developer Profile

WebberZone Top 10 — Popular Posts Developer Profile

Ajay

31 plugins · 89K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
825 days
View full developer profile
Detection Fingerprints

How We Detect WebberZone Top 10 — Popular Posts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/top-10/css/admin-bar.css/wp-content/plugins/top-10/css/admin.css/wp-content/plugins/top-10/css/styles.css/wp-content/plugins/top-10/js/admin.js/wp-content/plugins/top-10/js/widget.js
Script Paths
/wp-content/plugins/top-10/js/admin.js/wp-content/plugins/top-10/js/widget.js
Version Parameters
top-10/css/admin-bar.css?ver=top-10/css/admin.css?ver=top-10/css/styles.css?ver=top-10/js/admin.js?ver=top-10/js/widget.js?ver=

HTML / DOM Fingerprints

CSS Classes
tptn-widget-titletptn-widget-post-titletptn-posts-listtptn-post-countwz-admin-banner
HTML Comments
<!-- Top 10 widget --><!-- End Top 10 widget --><!-- end Top 10 widget -->
Data Attributes
data-tptn-iddata-tptn-orderdata-tptn-orderby
JS Globals
tptn_admin_ajaxtptn_admin_object
Shortcode Output
<div class="tptn_posts_widget"><div class="tptn-widget-title">
FAQ

Frequently Asked Questions about WebberZone Top 10 — Popular Posts