A critical vulnerability in the popular WordPress plugin AMP (Accelerated Mobile Pages) has been discovered. AMP allows websites to “automatically generate valid accelerated mobile pages for their blog posts and other web pages.” The vulnerability has the potential to allow an attacker to insert malicious code onto the targeted site’s AMP pages. The vulnerability resides in the way that this plugin handles WordPress AJAX hooks. According to researchers, “Under its settings, the plugin offers website administrators options to add advertisements and custom HTML/JavaScript code in the header or footer of an AMP page. To do this, the plugin uses WordPress’ built-in /AJAX hooks functionality in the background.” Because every registered user on WordPress sites are authorized to call AJAX hooks, any user can use this function to inject code. This is successful because the plugin does not check to see if the account calling the AJAX hooks is an administrator or not. WordPress has been informed about the vulnerability and has released a patch to address it.
Analyst Notes
For any user that uses the AMP plugin, they are advised to install the latest update (Version 0.9.97.20) as soon as possible. Not installing the update can leave a site’s mobile user base at risk.
