The privilege-escalation vulnerability would allow an attacker to inject malware, place ads and load custom code on an impacted website.
Another day, another critical WordPress plugin vulnerability. The popular AMP for WP plugin, which helps WordPress sites load faster on mobile browsers, has a privilege-escalation flaw that allows WordPress site users of any level to make administrative changes to a website.
The plugin, which has over 100,000 active installs according to its webpage, adds support for Google’s mobile site acceleration tool, dubbed Google Accelerated Mobile Pages (AMP). Researchers at WebARX Security discovered that the plugin didn’t include a check to verify the account permissions of the currently logged in user. In turn, that lack of permission verification opens up admin API access to anyone with a login for a site.
API calls are carried out using the Ajax development framework, they’re essentially “hooks” used by site administrators to interact with the third-party and external functions they need to manage their site.
“In WordPress plugin development, you have the ability to register Ajax hooks which allows you to call functions directly,” the WebARX team explained, in a posting on Thursday. “The main problem with this approach is that every registered user (regardless of account role) can call Ajax hooks. If the called hook doesn’t check for account role, every user can make use of those functions.”
The AMP plugin vulnerability is specifically located in the “ampforwp_save_steps_data” Ajax hook, which is called to save settings during the use of the installation wizard. Exploiting this would allow any user to update the plugin’s settings.
The fix was to ensure that the plugin restricted this ability to those with admin privileges; the change was made in updated version 0.9.97.20 of the plugin.
The critical issue with this particular vulnerability, according to WebARX, is that even registered users (i.e., site visitors who have signed up for loyalty accounts, accounts for forums or message boards, e-commerce accounts and so on) could make use of the flaw, making the barrier for exploitation very low for an attacker.
This is just the latest privilege-escalation flaw in a string of recent WordPress plugin issues. Earlier in the month, a similar API call issue was discovered in the popular WP GDPR Compliance plugin, which has more than 100,000 active installs. That was actively exploited in the wild before being patched. Also this month, a file delete vulnerability that affected multiple plugins, including WooCommerce, was found impacting 4 million websites; it allowed full privilege escalation and administrative account takeover on e-commerce sites before a fix was issued.
AMP for WP, the new, fixed version is being pushed out via automatic updates.