Critical AMP for WP Plugin Vulnerability Allows Any User to Gain Admin Rights

By Richard Anderson

A new critical WordPress plugin vulnerability has been identified that could allow site users to escalate privileges to admin level, giving them the ability to add custom code to a vulnerable website or upload malware. The vulnerability is in the AMP for WP plugin, a popular plugin that converts standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has more than 100,000 active users.

While the plugin was supposed to performs checks to determine whether a particular user is authorized to perform certain administrative tasks, insufficient checks were performed to verify the current user’s account permissions. As a result, any user, including a user registered on the site to submit comments, could gain admin rights to the site.

The flaw was discovered by WordPress plugin developer Sybre Waaijer who explained that the flaw would allow any user to read and download files, upload files, change plugin settings, inject HTML content into posts, or load malware such as a cryptocurrency miner or install malicious JavaScript. While there were some security checks performed, in most cases unauthenticated users could easily perform unauthorized activities on a site with the vulnerable plugin installed.

According to web security firm WebARX, the vulnerability is present in the ampforwp_save_steps_data hook – An ajax hook that can be called by all registered users on a site. Since inadequate checks are performed to verify the account role of the user when the hook is called, any site user can use the functions.

The flaw has been corrected in version 0.9.97.20 of AMP for WP. The update is being pushed out automatically to all sites with the plugin installed.

The new version of the plugin incorporates a check of the wpnonce value to determine whether the user is authorized to update plugin settings. Updates will only be permitted if the user has admin privileges.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news