AMP for WP, a popular WordPress plugin with more than 100,000 downloads, has come under the limelight for all the wrong reasons.

The plugin’s vulnerability was highlighted last week in WebARX blog where it published a proof of concept code on how to exploit it. Attackers took no time in responding and started exploiting it after which the plugin was removed from the official WordPress repository.

A similar vulnerability was discovered in WP GDPR compliance plugin. The vulnerability allowed attackers to use the plugin’s code to make changes on the website.

The vulnerability in AMP for WP plugin was originally discovered by Sybre Waaijer, a Dutch security researcher who discovered and reported the vulnerability to the developers back in October of this year.

Attackers could easily use the AMP for WP plugin to search the web for vulnerable sites and use the XSS vulnerability to stick malicious code in various parts of their website. This loads a JavaScript file that calls URLs which are only accessible by the admin accounts.

This JavaScript file allows hackers to create a user account by the name “supportuuser”. The account will have access to all the sections of the website include the code editor section of other plugins.

AMP for WP is now back as the developers worked around a patch that would fix the vulnerability. If you are one of the thousands of users of this plugin, it is highly recommended that you download the patch right away.