The Accelerated Mobile Pages WordPress plugin, with over 100,000 installations, has recently patched a medium severity vulnerability that could let an attacker inject malicious scripts to be executed by website visitors.
Cross-Site Scripting Via Shortcode
Cross-site scripting (XSS) is a prevalent type of vulnerability. In the context of WordPress plugins, XSS vulnerabilities occur when a plugin has a data input mechanism that isn’t properly secured by processes that validate or sanitize user inputs.
Sanitization is a method to block unwanted kinds of input. For instance, if a plugin allows a user to add text through an input field, it should also sanitize anything else that is input into that field that doesn’t belong, like a script or a zip file.
A shortcode is a WordPress feature enabling users to insert a tag that looks like this [example] within posts and pages. Shortcodes embed functionalities or content provided by a plugin. This allows users to configure a plugin through an admin panel then copy and paste a shortcode into a post or page where they want the plugin’s functionality to appear.
A “cross-site scripting via shortcode” vulnerability is a security flaw that allows an attacker to inject malicious scripts into a website by exploiting the shortcode function of the plugin.
According to a report recently published by the Patchstack WordPress security company:
“This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 1.0.89.”
Wordfence describes the vulnerability:
“Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 1.0.88.1 due to insufficient input sanitization and output escaping on user-supplied attributes.”
Wordfence also clarifies that this is an authenticated vulnerability, meaning a hacker needs at least a contributor permission level in order to exploit it.
This exploit is rated by Patchstack as a medium severity level vulnerability, scoring a 6.5 on a scale of 1-10 (with ten being the most severe).
Users are advised to check their installations to ensure they are updated to at least version 1.0.89.
Read the Patchstack report for detailed information:
WordPress Accelerated Mobile Pages Plugin <= 1.0.88.1 is vulnerable to Cross Site Scripting (XSS)
Read the Wordfence announcement for more details:
Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Featured Image by Shutterstock/pedrorsfernandes
