The popular AMP plugin for WordPress has released a patch for a critical security vulnerability.
AMP called as Accelerated Mobile Pages, an open source initiative which makes easy for publishers in creating mobile-friendly content. The AMP is used for the WordPress plugin helps the WordPress sites to load faster on mobile browsers. The plugin has a privilege escalation flaw allows WordPress website users to make changes as an administrator of any level to the site.
The plugin has over 100,000 active installs to its webpage by adding support for Google’s mobile site highly used by Google and also by Twitter. Researchers at WebARX security found a glitch; the plugin did not include a ‘Check’ option to verify the account permissions of the current logged in user. The lack of permission verification leads to admin API access to any user with a login for a site.
Using the Ajax development framework Application Programming Interface (API ) calls are carried out essentially by site administrators using ‘hooks’ to interact with the external and third-party functions to manage their site.
The WebARX team explained that the WordPress plugin development has the ability to register Ajax hooks allowing a user to call functions directly in an official post. The critical issue with this kind of approach is that every registered user nevertheless of role can call Ajax hooks if the hook doesn’t check for account role any user can make use of those functions.
The AMP plugin vulnerability is particularly located in the “amforwp_save_steeps_data” Ajax hook, is called to save setting during the installation wizard.
Hacking effects.
Breaching this would make any user to update the plugin’s settings. With those plugin settings, users can do many things on a website like placing ads, injecting custom HTML code, and malicious code like javascript malware or mining scripts or manual uploading other WordPress plugins.
According to the WebARX team, the critical issue with this specific vulnerability is that even registered users can make use of the flaw, exploiting the barrier for an attacker.
Reports state that approximately 80% of breaches is because of their privilege misuse. The developers are moving fast, and DevOps pushed code rapidly to production and became critical in security checks built into this automation flow avoiding this potential and costly mistakes affecting the trust in the users.
The critical flaw in WordPress plugin is the latest privilege-escalation flaw, earlier in this month a similar API call issue was uncovered in the WordPress GDPR compliance plugin, found more than 100,000 active installs or downloads. Another issue came into the spotlight when a file delete vulnerability affected multiple plugins, including WooCommerce, found affecting 4 million websites allowing administrative account and full privilege escalation has taken on e-commerce sites.
Download the Patch
It is recommended that users download the patch if using WordPress plugins. If you have automatic updates turned on then automatically plugin may be patched. If not applying the patch is simple rather than updating plugin from the WordPress dashboard.
The relieving news is that in case of AMP for WordPress the new and fixed versions are being pushed out using automatic updates.