A popular WordPress plugin, Accelerated Mobile Pages, used by over 100,000 websites, recently addressed a medium-severity security flaw. This vulnerability could have let attackers inject harmful scripts, impacting website visitors.
Understanding the vulnerability
Cross-site scripting (XSS) is a common security issue, particularly in WordPress plugins. It arises when a plugin's data input isn't adequately secured, allowing unauthorised data like scripts or zip files to be inserted. In the case of the Accelerated Mobile Pages plugin, this issue stemmed from handling shortcodes.
Shortcodes in WordPress let users easily integrate plugin functionalities within posts and pages. However, if these shortcodes are not properly secured, they can become a gateway for attackers to inject malicious scripts.
The specifics of the flaw
Wordfence, a security firm, detailed the nature of the vulnerability in the Accelerated Mobile Pages plugin. The flaw was present in all versions up to 1.0.88.1 due to inadequate sanitisation of user inputs in the plugin's shortcodes. This inadequacy allowed attackers with at least contributor-level access to exploit the vulnerability.
Patchstack, another security company, rated this exploit as having medium severity with a 6.5 score out of 10. They recommended users update their plugin to version 1.0.89 or later to mitigate the risk.
Protecting your site
For website administrators using this plugin, ensuring that the latest update is installed is crucial. Regularly updating plugins is critical to maintaining website security and protecting against such vulnerabilities.
Read the full Patchstack report on the vulnerability here:
WordPress Accelerated Mobile Pages Plugin <= 1.0.88.1 is vulnerable to Cross Site Scripting (XSS)
Also, find the detailed announcement by Wordfence here: