November 15, 2018 by Luka Šikić
Another plugin vulnerability got our attention which was recently removed from WordPress plugins library due to vulnerable code.
After It’s been unavailable for download on WordPress repository, popular plugin ‘AMP for WP – Accelerated Mobile Pages’ released an updated version 0.9.97.20 and is back on WordPress repository.
Latest version patches multiple critical security vulnerabilities. The mentioned plugin currently has over 100,000+ active installs. Found vulnerabilities allow an unauthorized user to change any plugin option, including injecting custom HTML code on the main page.
In WordPress plugin development, you have the ability to register ajax hooks which allows you to call functions directly on
The main problem with this approach is that every registered user (regardless of account role) can call ajax hooks. If the called hook doesn’t check for account role, every user can make use of those functions.
The AMP plugin vulnerability is located in the
ampforwp_save_steps_data which is called to save settings during the installation wizard. It’s been registered as
In the updated version, the plugin is checking for wpnonce value and check if logged in user can manage options. This will allow only admin users to update plugin settings.
This particular plugin vulnerability is a critical issue for websites that allow user registration.
At the time of writing this article, fix for AMP for WP plugin vulnerability is available in the latest update. Our team already released a firewall rule for WebARX users to prevent this attack.
For sites that don’t have an active firewall, it is of critical importance that any site with open user registration, using this plugin performs the update as soon as possible.
PS! If you want to monitor and receive alerts when any plugins are vulnerable on your site, click here.