Tuesday, 29 April 2025
27.5 C
Singapore
28.3 C
Thailand
19.9 C
Indonesia
28.3 C
Philippines

WordPress plugin vulnerability impacts over 100,000 sites

A critical update for the WordPress Accelerated Mobile Pages plugin addresses a security flaw impacting over 100,000 sites, underscoring the importance of regular updates.

A popular WordPress plugin, Accelerated Mobile Pages, used by over 100,000 websites, recently addressed a medium-severity security flaw. This vulnerability could have let attackers inject harmful scripts, impacting website visitors.

Understanding the vulnerability

Cross-site scripting (XSS) is a common security issue, particularly in WordPress plugins. It arises when a plugin’s data input isn’t adequately secured, allowing unauthorised data like scripts or zip files to be inserted. In the case of the Accelerated Mobile Pages plugin, this issue stemmed from handling shortcodes.

Shortcodes in WordPress let users easily integrate plugin functionalities within posts and pages. However, if these shortcodes are not properly secured, they can become a gateway for attackers to inject malicious scripts.

The specifics of the flaw

Wordfence, a security firm, detailed the nature of the vulnerability in the Accelerated Mobile Pages plugin. The flaw was present in all versions up to 1.0.88.1 due to inadequate sanitisation of user inputs in the plugin’s shortcodes. This inadequacy allowed attackers with at least contributor-level access to exploit the vulnerability.

Patchstack, another security company, rated this exploit as having medium severity with a 6.5 score out of 10. They recommended users update their plugin to version 1.0.89 or later to mitigate the risk.

Protecting your site

For website administrators using this plugin, ensuring that the latest update is installed is crucial. Regularly updating plugins is critical to maintaining website security and protecting against such vulnerabilities.

Read the full Patchstack report on the vulnerability here:

WordPress Accelerated Mobile Pages Plugin <= 1.0.88.1 is vulnerable to Cross Site Scripting (XSS)

Also, find the detailed announcement by Wordfence here:

Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Hot this week

Lenovo introduces new ThinkPad mobile workstations and business laptops for the AI-ready workforce

Lenovo refreshes its ThinkPad lineup with new AI-ready mobile workstations and business laptops, enhancing mobility, performance, and security.

XPENG unveils AI-powered innovations and supercharged EVs at Auto Shanghai 2025

XPENG launches AI brain, 10-minute charging EV, and IRON humanoid robot at Auto Shanghai 2025, setting new mobility benchmarks.

Ziff Davis takes OpenAI to court over alleged copyright infringement

Ziff Davis sues OpenAI over copyright claims, accusing the AI firm of copying and using its content without permission.

Bowers & Wilkins unveil updated headphones and McLaren-themed earbuds in Singapore

Bowers & Wilkins launches Px7 S3 headphones and Pi8 McLaren earbuds in Singapore. These headphones blend high-quality sound with comfort and stylish design.

Why OpenAI chose Windsurf after Cursor said no to being bought

OpenAI considered buying Cursor but moved on to Windsurf with a US$3B offer after Cursor’s parent company, Anysphere, chose to stay independent.

Razer Launches Pro Click V2 and V2 Vertical Mice: Blending Gaming and Productivity

Razer's new Pro Click V2 and V2 Vertical mice offer gaming precision and ergonomic comfort, with AI prompt access and long battery life, available now!

Nintendo Pop-Up Store and Mario Kart Fun Return to Jewel Changi Airport

Experience the magic of Nintendo at Jewel Changi Airport with the return of the Pop-Up Store and the exciting Mario Kart Jewel Circuit Challenge!

Lian Li’s new Lancool 207 Digital case brings a 6-inch LCD screen to your PC

Lian Li's Lancool 207 Digital PC case brings a bright 6-inch LCD screen to your setup, offering style, function, and full customisation.

Google to end support for early Nest thermostats on October 25

Google will stop supporting first—and second-generation Nest thermostats on October 25 and end new Nest launches in Europe.

Related Articles

Popular Categories