911 Hack Removal

WordPress AMP Plugin Exploited: Code Injection Vulnerability

Updated on: March 29, 2020

WordPress AMP Plugin Exploited: Code Injection Vulnerability

WordPress AMP Plugin Exploited

This article will discuss the Code Injection Vulnerability in older versions  (Version and Below) of the WordPress AMP Plugin. We describe what are AMPs and how the WordPress AMP plugin contains an exploitable vulnerability.

Accelerated Mobile Pages (AMPs) – A Brief Introduction

AMPs are a project website technology of Google which originally aimed to increase dramatically the performance of a website for mobile users. According to the project website, AMP is an open-source library that provides an easier way to create web pages that load near instantaneously for users. AMP pages work like web pages that you can link to and are controlled by you.

The AMP Pages are composed of 3 components:

  • AMP HTML: The HTML for AMP pages is slightly different with some restrictions so that all the features are not required to be loaded once a site opens.
  • AMP JS: This core component is responsible for loading all the resources when a site opens, by making all inbound content asynchronous, so that no content in the page can block outside content from rendering.
  • AMP Cache: This component is a proxy-based content delivery network for delivering all valid AMP documents. All the documents, JS files and images load from the same origin that is using HTTP 2.0 to ensure maximum efficiency.

The Code Injection Vulnerability in the AMP for WP Plugin

The plugin in question is “AMP for WP – Accelerated Mobile Pages”. This plugin helps to render our pages into the Accelerated Mobile Pages Format for fast loading times on Mobile Platforms. The basic Vulnerability in the older versions of the plugin (Version and Below) is Broken Authentication and Session Management.

These have been found to occur since there are various exploits like file injections, backdoor file downloading (including wp-config.php), DDoS vulnerability, database upgrading, options-and post-metadata overwriting, bandwidth exploitation (full WP media-library downloads), and unfiltered WordPress post injections which have been found to take advantage of the vulnerability. The code injection vulnerability injects malicious code into a website via various methods like cookies and browser-side scripts. This enables them to steal sensitive information or cause a data breach.

Why does this occur?

This occurs because our session management assets are not properly protected. This happens if:

  • User authentication credentials aren’t protected when stored using hashing or encryption.
  • Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change/recover password and weak session IDs).
  • Session IDs are exposed in the URL (e.g., URL rewriting).
  • Session IDs are vulnerable to session fixation attacks.
  • Session IDs or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
  • Session IDs aren’t rotated after successful login.
  • Passwords, session IDs, and other credentials are sent over unencrypted connections

This vulnerability has been classified as CWE-287 in the Common Weakness Enumeration List.

The possible consequence of this vulnerability includes exposure to sensitive resources or functionality to unintended users. Therefore attackers get access to sensitive information and can even execute arbitrary code on our websites. Also, this particular plugin vulnerability is a critical issue for websites that allow user registration.

Mitigation Strategy

The simplest mitigation strategy to be safe from the vulnerability is :

  • Update to the latest WordPress AMP Plugin (Released after Version )
  • Disable the current plugin until the Vulnerability is resolved

Last but not the least, if you want us to look into the vulnerability for your AMP enabled site, do let us know by visiting our website.

Note: The affected plugin was recently removed temporarily from the WordPress plugins library due to vulnerable code, but neither its developer nor the WordPress team revealed the exact issue in the plugin.

Was this post helpful?

Tags: , ,

Rohan Roy

An IT engineer and a cyber security enthusiast, I research on bugs and flaws in Content Management Systems like Drupal and WordPress and discovering how to remove them.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments

[…] Related Article – Code Injection in WordPress AMP plugin […]

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany