Vulnerability In The WordPress AMP Plugin Impacts More Than 100,000 Websites

A vital component of many websites, the WordPress AMP Plugin improves their performance and responsiveness on mobile devices. But among the online community, a recent discovery has raised questions. Up to 100,000+ websites using the WordPress AMP Plugin may be vulnerable to a serious flaw that has been found. This vulnerability is very dangerous since it could allow malicious organizations to execute arbitrary code or give unauthorized access to sensitive data. For developers and website owners alike, making sure WordPress plugins are secure is crucial as the digital world changes. We go deeper into the ramifications of this vulnerability, its possible effect on impacted sites, and solutions to mitigate and resolve this worrying issue in our blog series.

Vulnerability In The WordPress AMP Plugin Impacts More Than 100,000 Websites


Scripting Cross-Site Using Shortcode

Cross-site scripting (XSS) represents a prevalent vulnerability type. In the WordPress plugin context, XSS vulnerabilities occur when a plugin lacks robust measures to secure user-input data. Sanitization serves as a defense mechanism against undesirable input. For instance, if a plugin permits text input via a field, it should sanitize any input that doesn't conform, such as scripts or zip files.

Shortcodes, a feature within WordPress, enable users to insert tags like [example] into posts or pages. These shortcodes integrate plugin functionalities or content, allowing users to configure a plugin through an admin panel and then easily embed its functionality by copying and pasting the shortcode.

A "cross-site scripting via shortcode" vulnerability is a security flaw enabling attackers to inject malicious scripts into a website by exploiting the plugin's shortcode function.

In a research released lately, the WordPress security firm Patchstack stated:

"This might make it possible for a malevolent actor to insert dangerous scripts—such as adverts, redirects, and other HTML payloads—into your website, which visitors will see and use.

Version 1.0.89 has been updated to address this vulnerability"

 Wordfence describes the vulnerability:

“Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 1.0.88.1 due to insufficient input sanitization and output escaping on user supplied attributes.” 

Wordfence emphasizes that in order to take advantage of this specific vulnerability, a hacker must have at least contributor authorization level.

This exploit has a medium severity rating of 6.5 on a scale of 1–10, where 10 is the most severe vulnerability, according to Patchstack's severity rating system.

To fix this vulnerability, users are strongly encouraged to make sure their installations are updated to at least version 1.0.89.

Read the Patchstack report here:


Read the Wordfence announcement here:

Post a Comment

Previous Post Next Post