WordPress AMP Plugin Exploited: Code Injection Vulnerability
Contents of This Guide
WordPress AMP Plugin Exploited
This article will discuss the Code Injection Vulnerability in older versions (Version 0.9.97.20 and Below) of the WordPress AMP Plugin. We describe what are AMPs and how the WordPress AMP plugin contains an exploitable vulnerability.
Accelerated Mobile Pages (AMPs) – A Brief Introduction
AMPs are a project website technology of Google which originally aimed to increase dramatically the performance of a website for mobile users. According to the project website, AMP is an open-source library that provides an easier way to create web pages that load near instantaneously for users. AMP pages work like web pages that you can link to and are controlled by you.
The AMP Pages are composed of 3 components:
- AMP HTML: The HTML for AMP pages is slightly different with some restrictions so that all the features are not required to be loaded once a site opens.
- AMP JS: This core component is responsible for loading all the resources when a site opens, by making all inbound content asynchronous, so that no content in the page can block outside content from rendering.
- AMP Cache: This component is a proxy-based content delivery network for delivering all valid AMP documents. All the documents, JS files and images load from the same origin that is using HTTP 2.0 to ensure maximum efficiency.
The Code Injection Vulnerability in the AMP for WP Plugin
The plugin in question is “AMP for WP – Accelerated Mobile Pages”. This plugin helps to render our pages into the Accelerated Mobile Pages Format for fast loading times on Mobile Platforms. The basic Vulnerability in the older versions of the plugin (Version 0.9.97.20 and Below) is Broken Authentication and Session Management.
These have been found to occur since there are various exploits like file injections, backdoor file downloading (including
wp-config.php), DDoS vulnerability, database upgrading, options-and post-metadata overwriting, bandwidth exploitation (full WP media-library downloads), and unfiltered WordPress post injections which have been found to take advantage of the vulnerability. The code injection vulnerability injects malicious code into a website via various methods like cookies and browser-side scripts. This enables them to steal sensitive information or cause a data breach.
Why does this occur?
This occurs because our session management assets are not properly protected. This happens if:
- User authentication credentials aren’t protected when stored using hashing or encryption.
- Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change/recover password and weak session IDs).
- Session IDs are exposed in the URL (e.g., URL rewriting).
- Session IDs are vulnerable to session fixation attacks.
- Session IDs or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
- Session IDs aren’t rotated after successful login.
- Passwords, session IDs, and other credentials are sent over unencrypted connections
This vulnerability has been classified as CWE-287 in the Common Weakness Enumeration List.
The possible consequence of this vulnerability includes exposure to sensitive resources or functionality to unintended users. Therefore attackers get access to sensitive information and can even execute arbitrary code on our websites. Also, this particular plugin vulnerability is a critical issue for websites that allow user registration.
The simplest mitigation strategy to be safe from the vulnerability is :
- Update to the latest WordPress AMP Plugin (Released after Version 0.9.97.20 )
- Disable the current plugin until the Vulnerability is resolved
Last but not the least, if you want us to look into the vulnerability for your AMP enabled site, do let us know by visiting our website.
Note: The affected plugin was recently removed temporarily from the WordPress plugins library due to vulnerable code, but neither its developer nor the WordPress team revealed the exact issue in the plugin.