WEB SECURITY blog

INFORMATION, TIPS AND NEWS ABOUT WEBSITE security

Wordpress security

Security risk on AMP for WP – Accelerated Mobile Pages Plugin

November 15, 2018 12:11 pm

Luka Šikić
Developer and Researcher (OSCP)

Another plugin vulnerability got our attention which was recently removed from WordPress plugins library due to vulnerable code.

After It’s been unavailable for download on WordPress repository, popular plugin ‘AMP for WP – Accelerated Mobile Pages’ released an updated version 0.9.97.20 and is back on WordPress repository.

Latest version patches multiple critical security vulnerabilities. The mentioned plugin currently has over 100,000+ active installs. Found vulnerabilities allow an unauthorized user to change any plugin option, including injecting custom HTML code on the main page.

About the AMP plugin vulnerability

In WordPress plugin development, you have the ability to register ajax hooks which allows you to call functions directly on wp-admin/admin-ajax.php?action=action_name.

The main problem with this approach is that every registered user (regardless of account role) can call ajax hooks. If the called hook doesn’t check for account role, every user can make use of those functions.

The AMP plugin vulnerability is located in the ampforwp_save_steps_data which is called to save settings during the installation wizard. It’s been registered as wp_ajax_ampforwp_save_installer
ajax hook.

AMP plugin vulnerability

In the updated version, the plugin is checking for wpnonce value and check if logged in user can manage options. This will allow only admin users to update plugin settings.

AMP plugin vulnerability

Security risk and proof of concept

Under plugin settings, admins can place ads, add custom HTML in header or footer and since there is no user role validation, any user could inject their ads, mining scripts or javascript malware. This vulnerability origin back from 20th of October, 2018.

This particular plugin vulnerability is a critical issue for websites that allow user registration.

 

Conclusion

At the time of writing this article, fix for AMP for WP plugin vulnerability is available in the latest update. Our team already released a firewall rule for WebARX users to prevent this attack.

For sites that don’t have an active firewall, it is of critical importance that any site with open user registration, using this plugin performs the update as soon as possible.

PS! If you want to monitor and receive alerts when any plugins are vulnerable on your site, click here.

Wordpress security

suggested articles

100% free to get started

Secure your websites in under 3 minutes - No credit card required.

Get started
WebARX is compatible with following platforms:
PHP
WordPress
Magento
Drupal
Joomla