A WordPress plug-in used to build faster-loading web pages was discovered to contain a privilege escalation vulnerability that allows unauthorized attackers to inject malicious HTML code into the main page.

In a company blog post yesterday, researchers at WebARX disclosed the bug, which resides in the "MP for WP – Accelerated Mobile Pages" plug-in. The software's developers patched the issue two weeks ago in its latest release, version 0.9.97.20.

Blog author and WebARX researcher Luka Šikić explains that the flaw is "located in the ampforwp_save_steps_data which is called to save settings during the installation wizard. It’s been registered as wp_ajax_ampforwp_save_installer
ajax hook." The problem is, the plug-in allows every registered user, irrespective of account role, to call Ajax hooks.

There is no validation process to ensure that only high-privileged admins have this ability, which allows them to place ads or add custom HTML in pages' headers or footers. The new version fixes this oversight. But websites running unpatched version of the plug-ins are in danger of having low-privilege users inject malicious HTML such as unwanted ads, mining scripts and other malware, Šikić warns.

Just this week, it was reported that the WP GDPR Compliance WordPress plug-in was patched on Nov. 7 after a critical privilege escalation vulnerability was discovered in its wp-admin/admin-ajax.php functionality. Both this plug-in and MP for WP – Accelerated Mobile Pages have over 100,000 active installations apiece.