Accelerated Mobile Pages WordPress plugin, with over 100,000 installations, patched a medium severity vulnerability that could allow an attacker to inject malicious scripts to be executed by website visitors.
Cross-Site Scripting Via Shortcode
A cross-site scripting (XSS) is one of the most frequent kind of vulnerability. In the context of WordPress plugins, XSS vulnerabilities happen when a plugin has a way to input data that isn’t sufficiently secured by a process that validates or sanitizes user inputs.
Sanitization is a way to block unwanted kinds of input. For example, if a plugin allows a user to add text through an input field, then it should also sanitize anything else that is input into that form that doesn’t belong, like a script or a zip file.
A shortcode is a WordPress feature that allows users to insert a tag that looks like this [example] within posts and pages. Shortcodes embed functionalities or content that is provided by a plugin. This allows users to configure a plugin through an admin panel then copy and paste a shortcode into a post or page where they want the plugin functionality to appear.
A “cross-site scripting via shortcode” vulnerability is a security flaw that allows an attacker to inject malicious scripts into a website by exploiting the shortcode function of the plugin.
According to a report recently published by the Patchstack WordPress security company:
“This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 1.0.89.”
Wordfence describes the vulnerability:
“Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 22.214.171.124 due to insufficient input sanitization and output escaping on user supplied attributes.”
Wordfence also clarifies that this is an authenticated vulnerability which for this specific exploit means that a hacker needs at least a contributor permission level in order to take advantage of the vulnerability.
This exploit is rated by Patchstack as a medium severity level vulnerability, scoring a 6.5 on a scale of 1-10 (with ten being the most severe).
It’s advised that users check their installations so that they are patched to at least version 1.0.89.
Read the Patchstack report here:
WordPress Accelerated Mobile Pages Plugin <= 126.96.36.199 is vulnerable to Cross Site Scripting (XSS)
Read the Wordfence announcement here:
Accelerated Mobile Pages <= 188.8.131.52 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Featured Image by Shutterstock/pedrorsfernandes