Wordpress security

Security risk on AMP for WP – Accelerated Mobile Pages Plugin

Updated: December 10, 2018 by Oliver Sild

Another plugin vulnerability got our attention which was recently removed from WordPress plugins library due to vulnerable code.

After It’s been unavailable for download on WordPress repository, popular plugin ‘AMP for WP – Accelerated Mobile Pages’ released an updated version and is back on WordPress repository.

Latest version patches multiple critical security vulnerabilities. The mentioned plugin currently has over 100,000+ active installs. Found vulnerabilities allow an unauthorized user to change any plugin option, including injecting custom HTML code on the main page.

About the AMP plugin vulnerability

In WordPress plugin development, you have the ability to register ajax hooks which allows you to call functions directly on wp-admin/admin-ajax.php?action=action_name.

The main problem with this approach is that every registered user (regardless of account role) can call ajax hooks. If the called hook doesn’t check for account role, every user can make use of those functions.

The AMP plugin vulnerability is located in the ampforwp_save_steps_data which is called to save settings during the installation wizard. It’s been registered as wp_ajax_ampforwp_save_installer
ajax hook.

AMP plugin vulnerability

In the updated version, the plugin is checking for wpnonce value and check if logged in user can manage options. This will allow only admin users to update plugin settings.

AMP plugin vulnerability

Security risk and proof of concept

Under plugin settings, admins can place ads, add custom HTML in header or footer and since there is no user role validation, any user could inject their ads, mining scripts or javascript malware. This vulnerability origin back from 20th of October, 2018.

This particular plugin vulnerability is a critical issue for websites that allow user registration.



At the time of writing this article, fix for AMP for WP plugin vulnerability is available in the latest update. Our team already released a firewall rule for WebARX users to prevent this attack.

For sites that don’t have an active firewall, it is of critical importance that any site with open user registration, using this plugin performs the update as soon as possible.

PS! If you want to monitor and receive alerts when any plugins are vulnerable on your site, click here.

Wordpress security

suggested articles

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: