A security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for
WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website.
The vulnerable WordPress plugin in question is "
AMP for WP – Accelerated Mobile Pages" that lets websites automatically generate valid accelerated mobile pages for their blog posts and other web pages.
AMP, stands for Accelerated Mobile Page
s, is an open-source technology that has been designed by Google to allow websites build and server faster web pages to mobile visitors.
Though I am pretty sure the main version of "The Hacker News" website is enough fast for both desktop and mobile device users, you can also check the
AMP version for this specific article here.
Out of hundreds of plugins that allows WordPress websites to create Google-optimize AMP pages, "AMP for WP" is the most popular among others with more than 100,000 installations.
The affected plugin was recently removed temporarily from the WordPress plugins library due to vulnerable code, but neither its developer nor the WordPress team revealed the exact issue in the plugin.
Cybersecurity researcher Luka Sikic from web security firm WebARX analyzed the vulnerable plugin version and spotted a code-injection vulnerability in the "AMP for WP" that was later patched in its updated version.
The vulnerability resided in the way the 'AMP for WP – Accelerated Mobile Pages' plugin handled permissions for user accounts and WordPress AJAX hooks.
"The AMP plugin vulnerability is located in the ampforwp_save_steps_data which is called to save settings during the installation wizard. It's been registered as wp_ajax_ampforwp_save_installer ajax hook," Sikic says in a blog post published today.
"This particular plugin vulnerability is a critical issue for websites that allow user registration."
Under its settings, the plugin offers website administrators options to add advertisements and custom HTML/JavaScript code in the header or footer of an AMP page. To do this, the plugin uses WordPress' built-in /AJAX hooks functionality in the background.
Popular Cybersecurity Resources
Since every registered user on a WordPress site, even with the lowest privileges, are authorized to call AJAX hooks and also since the vulnerable plugin doesn't check if the account calling the AJAX hooks is admin or not, any user of the site can make use of this function to inject custom code.
As demonstrated by the researcher in a video, a low-privileged user can simply temper any request to call AJAX hooks and can submit malicious JavaScript code in the site.
This vulnerability has now been addressed in the latest
version 0.9.97.20 of AMP for WP – Accelerated Mobile Pages.
"In the updated version, the plugin is checking for wpnonce value and check if logged in user can manage options," the researcher says.
If your WordPress website also uses the affected plugin, you are highly recommended to install the latest available security updates as soon as possible.
It's just 15th of this month, and a weakness in another popular WordPress plugin has been discovered affecting hundreds of thousands of websites out there.
Just last week, an arbitrary file deletion vulnerability was disclosed in the popular
WooCommerce plugin that could have allowed a malicious or compromised privileged user to gain full control over the WordPress websites.