Does WP Popular Posts have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Popular Posts have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Popular Posts compatible with WordPress 6.9.4?

According to WordPress.org data, WP Popular Posts 7.3.8 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP Popular Posts compatible with PHP 7.4+?

WP Popular Posts requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Popular Posts updated?

WP Popular Posts was last updated on Feb 17, 2026. Frequent updates are generally a positive security signal.

What is WP Popular Posts's security score?

WP Popular Posts has a WP-Safety security score of 94/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Popular Posts Security & Risk Analysis

wordpress.org/plugins/wordpress-popular-posts

A highly customizable, easy-to-use popular posts plugin!

100K active installs v7.3.8 PHP 7.4+ WP 6.2+ Updated Feb 17, 2026

popularpopularitypoststopwidget

A · Safe

CVEs total7

Unpatched0

Last CVEJan 3, 2025

Plugin page Download

Safety Verdict

Is WP Popular Posts Safe to Use in 2026?

Generally Safe

Score 94/100

WP Popular Posts has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Jan 3, 2025Updated 1mo ago

Risk Assessment

The wordpress-popular-posts plugin v7.3.8 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and implementing a reasonable percentage of output escaping (87%). The absence of critical or high severity taint flows and no currently unpatched CVEs are also favorable indicators. The plugin also correctly utilizes nonces and capability checks for a significant portion of its entry points.

However, there are notable concerns. The presence of one AJAX handler without authentication checks represents a direct attack vector and a significant risk. While the total number of entry points isn't excessively large, this single unprotected endpoint is a critical flaw. The vulnerability history reveals a pattern of past security issues, including code injection, access control, unrestricted uploads, and cross-site scripting, with a notable presence of high and medium severity CVEs. This history, despite the lack of currently unpatched vulnerabilities, suggests a recurring need for diligent security auditing and patching in this plugin.

In conclusion, while the current version shows improvements in secure coding practices like prepared statements and decent output escaping, the single unprotected AJAX handler and the historical prevalence of various vulnerability types necessitate caution. Developers and users should be aware of the potential for future vulnerabilities and ensure the plugin is kept up-to-date with any security patches.

Key Concerns

Unprotected AJAX handler present
History of high severity CVEs
History of medium severity CVEs
Slightly low output escaping percentage (87%)

Vulnerabilities

WP Popular Posts Security Vulnerabilities

CVEs by Year

3 CVEs in 2021

2021

2 CVEs in 2022

2022

1 CVE in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

7 total CVEs

CVE-2024-11733high · 7.3Improper Control of Generation of Code ('Code Injection')

WordPress Popular Posts <= 7.1.0 - Unauthenticated Arbitrary Shortcode Execution

Jan 3, 2025 Patched in 7.2.0 (1d)

CVE-2023-45607medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Popular Posts <= 6.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Oct 6, 2023 Patched in 6.3.3 (109d)

CVE-2022-43468medium · 5.3Improper Access Control

WordPress Popular Posts <= 6.0.5 - Unauthenticated Views Changes

Nov 18, 2022 Patched in 6.1.0 (431d)

WF-db2a0b6f-5629-4ebe-8431-ebb3bc583e31-wordpress-popular-postsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Popular Posts <= 5.5.1 - Reflected Cross-Site Scripting

Jun 29, 2022 Patched in 6.0.0 (573d)

CVE-2021-42362high · 8.8Unrestricted Upload of File with Dangerous Type

WordPress Popular Posts <= 5.3.2 - Authenticated Arbitrary File Upload

Nov 12, 2021 Patched in 5.3.3 (802d)

CVE-2021-36872medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Popular Posts <= 5.3.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 4, 2021 Patched in 5.3.4 (932d)

CVE-2021-20746medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Popular Posts <= 5.3.2 - Authenticated Cross-Site Scripting

Jun 23, 2021 Patched in 5.3.3 (944d)

Code Analysis

Analyzed Mar 16, 2026

WP Popular Posts Code Analysis

Dangerous Functions

Raw SQL Queries

103 prepared

Unescaped Output

122 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared103 total queries

Output Escaping

87% escaped140 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<admin-page> (src\Admin\admin-page.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

WP Popular Posts Attack Surface

Entry Points7

Unprotected1

AJAX Handlers 7

authwp_ajax_wpp_update_chartsrc\Admin\Admin.php:116

authwp_ajax_wpp_get_most_viewedsrc\Admin\Admin.php:118

authwp_ajax_wpp_get_most_commentedsrc\Admin\Admin.php:119

authwp_ajax_wpp_get_trendingsrc\Admin\Admin.php:120

authwp_ajax_wpp_reset_thumbnailsrc\Admin\Admin.php:122

authwp_ajax_wpp_clear_thumbnailsrc\Admin\Admin.php:124

authwp_ajax_wpp_handle_performance_noticesrc\Admin\Admin.php:136

WordPress Hooks 43

actionwpmu_new_blogsrc\Admin\Admin.php:99

filterwpmu_drop_tablessrc\Admin\Admin.php:101

filterdashboard_glance_itemssrc\Admin\Admin.php:103

actionadmin_headsrc\Admin\Admin.php:104

actionwp_dashboard_setupsrc\Admin\Admin.php:106

actionadmin_enqueue_scriptssrc\Admin\Admin.php:108

actionadmin_menusrc\Admin\Admin.php:110

actionadmin_headsrc\Admin\Admin.php:112

filterplugin_action_linkssrc\Admin\Admin.php:114

actionupdated_post_metasrc\Admin\Admin.php:126

actiondeleted_post_metasrc\Admin\Admin.php:127

actionwp_trash_postsrc\Admin\Admin.php:129

actionadmin_initsrc\Admin\Admin.php:131

actionwpp_cache_eventsrc\Admin\Admin.php:133

actionwpp_maybe_performance_nagsrc\Admin\Admin.php:135

actionadmin_noticessrc\Admin\Admin.php:138

filterwpp_query_joinsrc\Admin\Admin.php:911

actiondelete_postsrc\Admin\Admin.php:1229

actioninitsrc\Block\Block.php:15

actionplugins_loadedsrc\Bootstrap.php:19

filterautoptimize_filter_js_excludesrc\Compatibility\Autoptimize\Autoptimize.php:23

actionelementor/editor/after_enqueue_scriptssrc\Compatibility\Elementor\Elementor.php:53

actionelementor/widgets/registersrc\Compatibility\Elementor\Elementor.php:55

filtershortcode_atts_wppsrc\Compatibility\Elementor\Elementor.php:57

filterlitespeed_optimize_js_excludessrc\Compatibility\LiteSpeedCache\LiteSpeedCache.php:23

filterlitespeed_optm_js_defer_excsrc\Compatibility\LiteSpeedCache\LiteSpeedCache.php:24

filterlitespeed_optm_js_delay_incsrc\Compatibility\LiteSpeedCache\LiteSpeedCache.php:25

actioninitsrc\Compatibility\Polylang\Polylang.php:41

filtersgo_javascript_combine_exclude_idssrc\Compatibility\SiteGroundOptimizer\SiteGroundOptimizer.php:23

filterw3tc_minify_js_script_tagssrc\Compatibility\W3TotalCache\W3TotalCache.php:23

filterrocket_exclude_jssrc\Compatibility\WPRocket\WPRocket.php:23

filterrocket_exclude_defer_jssrc\Compatibility\WPRocket\WPRocket.php:24

filterrocket_delay_js_exclusionssrc\Compatibility\WPRocket\WPRocket.php:25

filterrocket_cdn_reject_filessrc\Compatibility\WPRocket\WPRocket.php:26

actionwp_headsrc\Front\Front.php:54

actionwp_headsrc\Front\Front.php:55

actionwp_enqueue_scriptssrc\Front\Front.php:56

actionrest_api_initsrc\Rest\Controller.php:81

filterwpp_is_singlesrc\Rest\WidgetEndpoint.php:74

actionafter_setup_themesrc\Themer.php:49

actioninitsrc\Upgrader.php:25

actionwidgets_initsrc\Widget\Widget.php:99

filterwidget_types_to_hide_from_legacy_widget_blocksrc\Widget\Widget.php:101

Scheduled Events 2

wpp_cache_event

wpp_maybe_performance_nag

Maintenance & Trust

WP Popular Posts Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 17, 2026

PHP min version7.4

Downloads8.6M

Community Trust

Rating90/100

Number of ratings248

Active installs100K

Alternatives

WP Popular Posts Alternatives

qTop

qtop

Sidebar-widget displaying popular posts and pages based on the Popularity Contest plugin supporting multiple languages with the qTranslate plugin.

10 No CVEs

WebberZone Top 10 — Popular Posts

top-10

Track post views and page views, and display popular posts and trending content on your WordPress site.

20K 10 CVEs

Smart Recent Posts Widget

smart-recent-posts-widget

Provides advanced recent posts widget,you can display it with thumbnails, excerpt, date, author, comment count and more.

9K 1 unpatched

Statify Widget

statify-widget

Data privacy conform widget for list popular content (pages, posts, custom post types) – based on Statify plugin.

4K 1 CVE

Developer Profile

WP Popular Posts Developer Profile

Hector Cabrera

2 plugins · 100K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

635 days

View full developer profile

Detection Fingerprints

How We Detect WP Popular Posts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wordpress-popular-posts/asset/css/admin.css/wp-content/plugins/wordpress-popular-posts/asset/css/main.css/wp-content/plugins/wordpress-popular-posts/asset/css/wpp-admin-bar.css/wp-content/plugins/wordpress-popular-posts/asset/css/wpp-pagination.css/wp-content/plugins/wordpress-popular-posts/asset/js/admin.js/wp-content/plugins/wordpress-popular-posts/asset/js/main.js

Script Paths

https://charts.jsdelivr. (.net|.org)/npm/chart.js@3.9.1/dist/chart.min.jshttps://charts.jsdelivr. (.net|.org)/npm/moment@2.29.4/moment.min.js

Version Parameters

/wp-content/plugins/wordpress-popular-posts/asset/css/admin.css?ver=/wp-content/plugins/wordpress-popular-posts/asset/css/main.css?ver=/wp-content/plugins/wordpress-popular-posts/asset/css/wpp-admin-bar.css?ver=/wp-content/plugins/wordpress-popular-posts/asset/css/wpp-pagination.css?ver=/wp-content/plugins/wordpress-popular-posts/asset/js/admin.js?ver=/wp-content/plugins/wordpress-popular-posts/asset/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpp-post-listwpp-thumbnailwpp-post-titlewpp-post-metawpp-post-excerpt

HTML Comments

Data Attributes

data-wpp-iddata-wpp-post-id

JS Globals

wpp_data

REST Endpoints

/wp-json/wpp/v1/popular

Shortcode Output

[wpp

FAQ