Wednesday, 2 April 2025
27.8 C
Singapore
31.2 C
Thailand
20.5 C
Indonesia
26.8 C
Philippines

WordPress plugin vulnerability impacts over 100,000 sites

A critical update for the WordPress Accelerated Mobile Pages plugin addresses a security flaw impacting over 100,000 sites, underscoring the importance of regular updates.

A popular WordPress plugin, Accelerated Mobile Pages, used by over 100,000 websites, recently addressed a medium-severity security flaw. This vulnerability could have let attackers inject harmful scripts, impacting website visitors.

Understanding the vulnerability

Cross-site scripting (XSS) is a common security issue, particularly in WordPress plugins. It arises when a plugin’s data input isn’t adequately secured, allowing unauthorised data like scripts or zip files to be inserted. In the case of the Accelerated Mobile Pages plugin, this issue stemmed from handling shortcodes.

Shortcodes in WordPress let users easily integrate plugin functionalities within posts and pages. However, if these shortcodes are not properly secured, they can become a gateway for attackers to inject malicious scripts.

The specifics of the flaw

Wordfence, a security firm, detailed the nature of the vulnerability in the Accelerated Mobile Pages plugin. The flaw was present in all versions up to 1.0.88.1 due to inadequate sanitisation of user inputs in the plugin’s shortcodes. This inadequacy allowed attackers with at least contributor-level access to exploit the vulnerability.

Patchstack, another security company, rated this exploit as having medium severity with a 6.5 score out of 10. They recommended users update their plugin to version 1.0.89 or later to mitigate the risk.

Protecting your site

For website administrators using this plugin, ensuring that the latest update is installed is crucial. Regularly updating plugins is critical to maintaining website security and protecting against such vulnerabilities.

Read the full Patchstack report on the vulnerability here:

WordPress Accelerated Mobile Pages Plugin <= 1.0.88.1 is vulnerable to Cross Site Scripting (XSS)

Also, find the detailed announcement by Wordfence here:

Accelerated Mobile Pages <= 1.0.88.1 โ€“ Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Hot this week

Chinese EV makers urged to expand globally despite tariff challenges

Chinese EV makers are urged to expand globally despite rising tariffs. Industry experts stress the need for overseas production and strategic partnerships.

Gmail introduces easier encryption for business emails

Google introduces a new encryption model for Gmail, making it easier for businesses to send secure emails without special software or certificates.

Sennheiser introduces the HD 550: A new entry-level open-back headphone

Sennheiser launches the HD 550, an entry-level open-back headphone with improved frequency response and premium build quality.

Owndays and Huawei launch new titanium smart audio glasses

Owndays and Huawei launch the Eyewear 2 Smart Audio Glasses Titanium Edition, featuring Bluetooth 5.3, 11-hour playback, and a premium frame.

OPPO launches Watch X2 in Singapore with premium design and advanced health features

OPPO introduces the Watch X2 in Singapore with a premium design, advanced health features, and up to 16 days of battery life.

These robot vacuums are getting smarter with Apple Home support

Appleโ€™s iOS 18.4 update adds Matter support for robot vacuums, enabling control via Apple Home. Roborock, iRobot, and Ecovacs are updating their devices.

Gmail introduces easier encryption for business emails

Google introduces a new encryption model for Gmail, making it easier for businesses to send secure emails without special software or certificates.

Nothing Phone (3a) Pro review: A mid-range marvel with standout zoom

Nothing Phone (3a) Pro blends standout design, powerful zoom camera, and smart features, making it a top choice in the mid-range segment.

Vivo challenges iPhone 16 Pro Max with X200 Ultraโ€™s video stability

Vivoโ€™s X200 Ultra teaser compares video stability with the iPhone 16 Pro Max, promising top-tier camera upgrades and advanced stabilisation.

Related Articles