Accelerated Mobile Pages (AMP) is a WordPress plugin installed by over 100,000 websites. WordPress’s security company, Patchstack, recently released a patch for an XSS vulnerability. According to the firm, the vulnerability level was given a medium severity rating of 6.5 on a scale of 1 to 10, 10 being the highest degree of severity. The vulnerability was detected in one of the AMP plugin features, ‘shortcode.’
Developers and WordPress website creators could use the shortcode feature to add the plugin content or functionalities directly to the posting page. Users can simply insert a tag like [testtag] directly into the page. Once they do, they acquire admin panel capabilities, configure the plugin based on their needs, and ensure the plugin functionality they want to appear on the posting page.
The feature had an XSS vulnerability, also known as cross-site scripting. It is a common vulnerability with WordPress plugins and is caused when a mechanism to input data is not secured by a process that can validate or sanitize the inputs. For instance, if a form has a field that takes text as an input. Then, the system must ensure that users cannot add any other input in the respective field, including scripts or tags that may be added with malicious intents.
With the shortcode feature, cyber attackers could inject a malicious script/code into the post page, which would greatly impact a Long Island wrongful death attorney if not corrected immediately. As Patchstack deliberately explained, “This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.” The company also mentioned that the vulnerability has been fixed in the patch version 1.0.89.
Wordfence also elaborated that “Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 184.108.40.206 due to insufficient input sanitization and output escaping on user-supplied attributes.” They further mentioned how any user will require a minimum of contributor permission level to exploit this vulnerability. This means that it is an authenticated vulnerability.
The increasing amount of vulnerabilities with WordPress as of late has a large impact on many businesses, law firms, and anyone whose sites need different plugins to operate. WordPress is looking to mitigate these vulnerabilities as best they can, especially before the holiday season, but in the meantime it is important to check your sites to figure out whether you’ve been impacted.