Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Privilege escalation bug patched in Accelerated Mobile Pages WordPress plug-in

A WordPress plug-in used to build faster-loading web pages was discovered to contain a privilege escalation vulnerability that allows unauthorized attackers to inject malicious HTML code into the main page.

In a company blog post yesterday, researchers at WebARX disclosed the bug, which resides in the "MP for WP – Accelerated Mobile Pages" plug-in. The software's developers patched the issue two weeks ago in its latest release, version 0.9.97.20.

Blog author and WebARX researcher Luka Šikić explains that the flaw is "located in the ampforwp_save_steps_data which is called to save settings during the installation wizard. It’s been registered as wp_ajax_ampforwp_save_installer
ajax hook." The problem is, the plug-in allows every registered user, irrespective of account role, to call Ajax hooks.

There is no validation process to ensure that only high-privileged admins have this ability, which allows them to place ads or add custom HTML in pages' headers or footers. The new version fixes this oversight. But websites running unpatched version of the plug-ins are in danger of having low-privilege users inject malicious HTML such as unwanted ads, mining scripts and other malware, Šikić warns.

Just this week, it was reported that the WP GDPR Compliance WordPress plug-in was patched on Nov. 7 after a critical privilege escalation vulnerability was discovered in its wp-admin/admin-ajax.php functionality. Both this plug-in and MP for WP – Accelerated Mobile Pages have over 100,000 active installations apiece.


Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.