At the start of last week news began to broke of a security exploit found inside a common WordPress plugin offering AMP version of your posts and pages. This particular security flaw could end up with any one of the 100 thousand active installations become the victim of any of its registered users gaining access to admin capabilities.

As of right now, the plugin has been updated (the security patch was released in version 0.9.97.20) and it is believed that the latest version of the plugin contains a patch that fixes the exploit. You can download the latest version of the plugin here.

In previous ‘unsafe’ versions of the plugin, it was discovered that there was a fundamental user capabilities check function missing when performing some tasks within the plugin’s AJAX functions.

From this seemingly small omission within the plugin code, the consequences could be catastrophic, as detailed in this blog post explaining how the exploit could lead to javascript being able to add new users with full admin capabilities, ultimately being able to do absolutely anything with your WordPress site!

So if you are firstly using the Accelerated Mobile Pages plugin (just to be clear, this is NOT the AMP plugin created by the WordPress team), then you are strongly urged if you haven’t already done so to upgrade to the latest version.

Leave a comment

Your email address will not be published. Required fields are marked *