Vital AMP for WP Plugin Weakness Allows Any User to Gain Admin Rights

November 22, 2018

 

A recent critical WordPress plugin weakness has been recognized that might let site users increase rights to admin level, providing them the capability to add custom code to a weak website or upload malware. The weakness is in the AMP for WP plugin, a trendy plugin that changes standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has over 100,000 active users.

Although the plugin was expected to carry out checks to decide whether a particular user is allowed to carry out certain administrative jobs, inadequate checks were carried out to confirm the existing user’s account permissions. As a consequence, any user, including a user listed on the site to submit remarks, might gain admin rights to the site.

The fault was found by WordPress plugin developer Sybre Waaijer who clarified that the fault would let any user read and download files, upload files, modify plugin settings, insert HTML content into posts, or load malware such as a cryptocurrency miner or install malevolent JavaScript. Although there were some safety checks carried out, in most instances unauthenticated users might easily carry out illegal activities on a site with the weak plugin installed.

As per web safety company WebARX, the weakness is present in the ampforwp_save_steps_data hook – An Ajax hook that can be called by all listed users on a site. As insufficient checks are carried out to confirm the account role of the user when the hook is called, any site user can use the functions.

The fault has been rectified in version 0.9.97.20 of AMP for WP. The update is being pushed out automatically to all sites with the plugin fitted.

The new variety of the plugin includes a check of the wpnonce value to decide whether the user is accredited to update plugin settings. Updates will only be allowed if the user has admin rights.