Wordpress security

Security risk on AMP for WP – Accelerated Mobile Pages Plugin

Updated: December 10, 2018 by Oliver Sild

Another plugin vulnerability got our attention which was recently removed from WordPress plugins library due to vulnerable code.

After It’s been unavailable for download on WordPress repository, popular plugin ‘AMP for WP – Accelerated Mobile Pages’ released an updated version 0.9.97.20 and is back on WordPress repository.

Latest version patches multiple critical security vulnerabilities. The mentioned plugin currently has over 100,000+ active installs. Found vulnerabilities allow an unauthorized user to change any plugin option, including injecting custom HTML code on the main page.

About the AMP plugin vulnerability

In WordPress plugin development, you have the ability to register ajax hooks which allows you to call functions directly on wp-admin/admin-ajax.php?action=action_name.

The main problem with this approach is that every registered user (regardless of account role) can call ajax hooks. If the called hook doesn’t check for account role, every user can make use of those functions.

The AMP plugin vulnerability is located in the ampforwp_save_steps_data which is called to save settings during the installation wizard. It’s been registered as wp_ajax_ampforwp_save_installer
ajax hook.

AMP plugin vulnerability

In the updated version, the plugin is checking for wpnonce value and check if logged in user can manage options. This will allow only admin users to update plugin settings.

AMP plugin vulnerability

Security risk and proof of concept

Under plugin settings, admins can place ads, add custom HTML in header or footer and since there is no user role validation, any user could inject their ads, mining scripts or javascript malware. This vulnerability origin back from 20th of October, 2018.

This particular plugin vulnerability is a critical issue for websites that allow user registration.

 

Conclusion

At the time of writing this article, fix for AMP for WP plugin vulnerability is available in the latest update. Our team already released a firewall rule for WebARX users to prevent this attack.

For sites that don’t have an active firewall, it is of critical importance that any site with open user registration, using this plugin performs the update as soon as possible.

PS! If you want to monitor and receive alerts when any plugins are vulnerable on your site, click here.

Wordpress security

Secure your websites like an expert - in under 3 minutes.

Try WebARX For Free

Get latest vulnerabilities directly to your inbox

30 000+ developers already benefit from our weekly newsletters.

suggested articles

Wordpress security

Comprehensive WordPress Malware Removal Guide

WordPress malware removal

Read more

Oliver
Sild

Wordpress security
Wordpress security

What Is Cross-Site Scripting (XSS)? + WordPress XSS Example

May 14, 2018 01:05

Agnes
Talalaev

Wordpress security
for developers

12 Website Security Tips From Experts

April 11, 2018 08:04

Agnes
Talalaev

for developers

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla