WordPress Managed Hosting - 40% Off For 4 Months - Coupon Code: BFCM2021 Avail Now

AMP for WP Released Patch For a Massive Security Flaw

Moeez — November 22, 2018 2 Minutes Read
wordpress site hacked

AMP for WP, a popular WordPress plugin with more than 100,000 downloads, has come under the limelight for all the wrong reasons.

The plugin’s vulnerability was highlighted last week in WebARX blog where it published a proof of concept code on how to exploit it. Attackers took no time in responding and started exploiting it after which the plugin was removed from the official WordPress repository.

A similar vulnerability was discovered in WP GDPR compliance plugin. The vulnerability allowed attackers to use the plugin’s code to make changes on the website.

The vulnerability in AMP for WP plugin was originally discovered by Sybre Waaijer, a Dutch security researcher who discovered and reported the vulnerability to the developers back in October of this year.

Attackers could easily use the AMP for WP plugin to search the web for vulnerable sites and use the XSS vulnerability to stick malicious code in various parts of their website. This loads a JavaScript file that calls URLs which are only accessible by the admin accounts.

This JavaScript file allows hackers to create a user account by the name “supportuuser”. The account will have access to all the sections of the website include the code editor section of other plugins.

AMP for WP is now back as the developers worked around a patch that would fix the vulnerability. If you are one of the thousands of users of this plugin, it is highly recommended that you download the patch right away.

Create Faster WordPress Websites!

Free eBook on WordPress Performance right in your inbox.


    Create Faster WordPress Websites!

    Free eBook on WordPress Performance right in your inbox.

      Moeez is ‘The’ blogger in charge of WPblog. He loves to interact and learn about WordPress with people in the WordPress community. Outside his work life, Moeez spends time hanging out with his friends, playing Xbox and watching football on the weekends. You can get in touch with him at moeez[at]wpblog.com.

      THERE'S MORE TO READ

      Newsletter

        WordPress Help Zone - Ultimate WordPress Pit-Stop

        Learning WordPress? Or are you expert enough to help others? Join our WP Facebook group!