100,000+ Websites are Vulnerable Due to the WordPress AMP Plugin

Accelerated Mobile Pages (AMP) is a WordPress plugin installed by over 100,000 websites. WordPress’s security company, Patchstack, recently released a patch for an XSS vulnerability. According to the firm, the vulnerability level was given a medium severity rating of 6.5 on a scale of 1 to 10, 10 being the highest degree of severity. The vulnerability was detected in one of the AMP plugin features, ‘shortcode.’

Developers and WordPress website creators could use the shortcode feature to add the plugin content or functionalities directly to the posting page. Users can simply insert a tag like [testtag] directly into the page. Once they do, they acquire admin panel capabilities, configure the plugin based on their needs, and ensure the plugin functionality they want to appear on the posting page.

The feature had an XSS vulnerability, also known as cross-site scripting. It is a common vulnerability with WordPress plugins and is caused when a mechanism to input data is not secured by a process that can validate or sanitize the inputs. For instance, if a form has a field that takes text as an input. Then, the system must ensure that users cannot add any other input in the respective field, including scripts or tags that may be added with malicious intents.

With the shortcode feature, cyber attackers could inject a malicious script/code into the post page, which would greatly impact a Long Island wrongful death attorney if not corrected immediately. As Patchstack deliberately explained, “This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.” The company also mentioned that the vulnerability has been fixed in the patch version 1.0.89.

Wordfence also elaborated that “Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 1.0.88.1 due to insufficient input sanitization and output escaping on user-supplied attributes.” They further mentioned how any user will require a minimum of contributor permission level to exploit this vulnerability. This means that it is an authenticated vulnerability.

The increasing amount of vulnerabilities with WordPress as of late has a large impact on many businesses, law firms, and anyone whose sites need different plugins to operate. WordPress is looking to mitigate these vulnerabilities as best they can, especially before the holiday season, but in the meantime it is important to check your sites to figure out whether you’ve been impacted. 

Recent Posts

Archives

Categories

Our Supporters

Gold Supporters

Christopher Simon – Atlanta Car Accident Attorney

DarrasLaw

Kansas City Motorcycle Accident Lawyer

Joe Lopez Law

Skiver Law Firm – Phoenix Truck Accident Lawyer

Pillsbury & Coleman, LLP – San Francisco Disability Lawyer

Winer, Burritt & Scott, LLP – Oakland Clergy Abuse Attorney

Michael E. Fenimore P.A. – Pensacola Car Accident Lawyer

Kansas City Dog Bite Lawyer

The Law Office of Randall J. Wolfe, P.C. – Oregon City Personal Injury Lawyer

Davies Hothem Injury Law – Buford, GA Car Accident Attorney

Houston Federal Criminal Defense Attorney

Darrow Law Firm – Houston Federal Crime Lawyer

Kansas City Personal Injury Lawyer

Atlanta Truck Accident Attorney

Aitken *Aitken* Cohn Trial Lawyers – Santa Ana Personal Injury Attorneys

Triplett & Carothers- Kentucky Probate Lawyer

New Haven Divorce Lawyer

Little Rock personal injury lawyer

Palermo Law- Long Island Personal Injury Lawyer

Dan Rose – San Francisco Car Accident Attorney

Taylor Siemens – Clay County Car Accident Lawyer

Nagle & Associates – Raleigh Car Accident Attorney

Pfeifer Law Firm – Little Rock Personal Injury Lawyer

Walkup, Melodia, Kelly & Schoenberger – San Francisco Car Accident Attorney

Dawson Law Group – Portland Truck Accident Lawyer

Solomon, Diwggins, Freer & Steadman – Las Vegas Business Litigation Lawyer

Roane Law – Asheboro NC Car Accident Lawyer

Dorsch Law Firm – Overland Park Estate Planning Attorney

The Tennessee Sledgehammer – Hermitage, TN Car Accident Lawyer

Cook Law Group – Gainesville, GA Car Accident Lawyer

By | 2023-12-19T18:15:24+00:00 December 19th, 2023|Interesting|Comments Off on 100,000+ Websites are Vulnerable Due to the WordPress AMP Plugin