back to top
Thursday. 31 October 2024

WordPress plugin vulnerability impacts over 100,000 sites

A critical update for the WordPress Accelerated Mobile Pages plugin addresses a security flaw impacting over 100,000 sites, underscoring the importance of regular updates.

Published:

Published:

Trending Stories

- Advertisement -

A popular plugin, Accelerated Mobile Pages, used by over 100,000 websites, recently addressed a medium-severity flaw. This vulnerability could have let attackers inject harmful scripts, impacting website visitors.

Understanding the vulnerability

Cross-site scripting (XSS) is a common security issue, particularly in WordPress plugins. It arises when a plugin's data input isn't adequately secured, allowing unauthorised data like scripts or zip files to be inserted. In the case of the Accelerated Mobile Pages plugin, this issue stemmed from handling shortcodes.

Shortcodes in WordPress let users easily integrate plugin functionalities within posts and pages. However, if these shortcodes are not properly secured, they can become a gateway for attackers to inject malicious scripts.

The specifics of the flaw

Wordfence, a security firm, detailed the nature of the vulnerability in the Accelerated Mobile Pages plugin. The flaw was present in all versions up to 1.0.88.1 due to inadequate sanitisation of user inputs in the plugin's shortcodes. This inadequacy allowed attackers with at least contributor-level access to exploit the vulnerability.

Patchstack, another security company, rated this exploit as having medium severity with a 6.5 score out of 10. They recommended users update their plugin to version 1.0.89 or later to mitigate the risk.

Protecting your site

For website administrators using this plugin, ensuring that the latest update is installed is crucial. Regularly updating plugins is critical to maintaining website security and protecting against such vulnerabilities.

Read the full Patchstack report on the vulnerability here:

WordPress Accelerated Mobile Pages Plugin <= 1.0.88.1 is vulnerable to Cross Site Scripting (XSS)

Also, find the detailed announcement by Wordfence here:

Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Tech Edition has partnerships that involve sponsored content. While this financial support helps us with daily operations, it doesn't affect the integrity of our reviews. We remain committed to delivering honest and insightful content to our readers.

Tech Edition is now on Telegram! Join our channel here and catch all the latest tech news!



Nurin Sofia
Nurin Sofia
Nurin Sofia is a news editor at Tech Edition. Her interest is in technology and startups, occasionally crunching news for gaming. Sofia enjoys playing video games, going on bike rides, and gardening when she isn't behind a keyboard.

Featured Content

Layoffs reshape Asia’s business landscape: From tech giants to e-commerce leaders

Mass layoffs in Asia's tech, e-commerce, fashion, and sports sectors raise questions about how businesses can balance profitability, operational efficiency, and employee welfare.

Related Stories