Nov 23, 2018
A recent critical WordPress plugin vulnerability has been recognized that might let site users increase rights to admin level, providing them the capability to add custom code to a vulnerable website or upload malware. The vulnerability is in the AMP for WP plugin, a trendy plugin that changes standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has over 100,000 active users.
Although the plugin was expected to carry out checks to decide whether a particular user is allowed to carry out certain administrative jobs, inadequate checks were carried out to confirm the existing user’s account permissions. As a consequence, any user, including a user listed on the site to submit remarks, might gain admin rights to the site.
As per web safety company WebARX, the vulnerability is present in the ampforwp_save_steps_data hook – An Ajax hook that can be called by all listed users on a site. As insufficient checks are carried out to confirm the account role of the user when the hook is called, any site user can use the functions.
The vulnerability has been rectified in version 0.9.97.20 of AMP for WP. The update is being pushed out automatically to all sites with the plugin fitted.
The new variety of the plugin includes a check of the wpnonce value to decide whether the user is accredited to update plugin settings. Updates will only be allowed if the user has admin rights.