The Accelerated Mobile Pages WordPress plugin, with over 100,000 installations, recently patched a medium severity vulnerability that could have allowed attackers to inject malicious scripts to be executed by website visitors. This vulnerability, known as a “cross-site scripting via shortcode” flaw, is a common type of vulnerability that occurs when a plugin does not adequately secure user inputs.
The vulnerability specifically occurred due to insufficient input sanitization and output escaping on user-supplied attributes. In the context of WordPress, a shortcode is a feature that allows users to insert a tag within posts and pages, enabling them to embed functionality or content provided by a plugin. In this case, the vulnerability allowed attackers to exploit the shortcode function of the plugin to inject malicious scripts into websites.
According to a report by the Patchstack WordPress security company, the vulnerability has been fixed in version 1.0.89 of the plugin. The report also emphasizes that this is an authenticated vulnerability, meaning that a hacker would need at least a contributor permission level to take advantage of the flaw.
Meanwhile, Wordfence, a popular security plugin for WordPress, also highlighted the vulnerability, describing it as a “Stored Cross-Site Scripting” issue. Wordfence’s announcement reiterated the need for users to update their installations to at least version 1.0.89 to ensure that they are protected from the vulnerability.
The severity of the exploit was rated by Patchstack as a 6.5 on a scale of 1-10, with ten being the most severe. It is therefore recommended for users to promptly update their Accelerated Mobile Pages plugin to the latest version in order to safeguard their websites from potential attacks.
In summary, the vulnerability in the Accelerated Mobile Pages WordPress plugin posed a significant threat to website security, as it could have allowed malicious actors to inject harmful scripts that would be executed when visitors accessed the website. However, the vulnerability has since been addressed in version 1.0.89 of the plugin, and users are advised to update their installations accordingly to mitigate the risks associated with this flaw.
Read Full Article