Fixed a bug that used site visitors as an indicator of script activation.
The Accelerated Mobile Pages (AMP) plugin for WordPress, used on more than 100,000 sites, recently fixed a vulnerability that allowed an attacker to inject malicious scripts that were activated when users visited the site.
The problem was a vulnerability in cross-Site Scripting (XSS) via shortcodes (CVE-2023-48321, CVSS: 6.5). WordPress plugins may encounter such vulnerabilities if they do not adequately check or clean up user data from unnecessary elements.
Input cleaning (Sanitization) is the process of blocking or filtering unwanted data types, for example, when a plugin allows you to add text through an input field, but does not filter other types of input data, such as scripts or ZIP files.
Shortcodes in WordPress are a feature that allows users to insert special tags ([example]) in the texts of posts and pages. Shortcodes activate certain functions or content of plugins, and simplify plugin configuration via the admin panel.
The discovered vulnerability allowed attackers to insert malicious scripts on the site through the plugin's shortcode mechanism, which could lead to automatic redirection or display of ads when users visit the site.
The security company Patchstack reported that the problem was fixed in the plugin version 1.0.89. It is noted that versions up to and including 1.0.88.1 contained insufficient sanitization and shielding of user data, which led to the vulnerability.
Wordfence, a WordPress security company, emphasizes that exploiting the vulnerability requires an attacker to have rights at the site's contributor level or higher. Users are advised to update the plugin to version 1.0.89 or higher for security reasons.
The Accelerated Mobile Pages (AMP) plugin for WordPress, used on more than 100,000 sites, recently fixed a vulnerability that allowed an attacker to inject malicious scripts that were activated when users visited the site.
The problem was a vulnerability in cross-Site Scripting (XSS) via shortcodes (CVE-2023-48321, CVSS: 6.5). WordPress plugins may encounter such vulnerabilities if they do not adequately check or clean up user data from unnecessary elements.
Input cleaning (Sanitization) is the process of blocking or filtering unwanted data types, for example, when a plugin allows you to add text through an input field, but does not filter other types of input data, such as scripts or ZIP files.
Shortcodes in WordPress are a feature that allows users to insert special tags ([example]) in the texts of posts and pages. Shortcodes activate certain functions or content of plugins, and simplify plugin configuration via the admin panel.
The discovered vulnerability allowed attackers to insert malicious scripts on the site through the plugin's shortcode mechanism, which could lead to automatic redirection or display of ads when users visit the site.
The security company Patchstack reported that the problem was fixed in the plugin version 1.0.89. It is noted that versions up to and including 1.0.88.1 contained insufficient sanitization and shielding of user data, which led to the vulnerability.
Wordfence, a WordPress security company, emphasizes that exploiting the vulnerability requires an attacker to have rights at the site's contributor level or higher. Users are advised to update the plugin to version 1.0.89 or higher for security reasons.
