Go to listing page

Another WordPress hacking campaign is ongoing targeting AMP for WordPress plugin

Another WordPress hacking campaign is ongoing targeting AMP for WordPress plugin
  • The plugin is installed on more than 100,000 WordPress sites and can allow attackers to gain administrative access to a site.
  • The exploitation process is very similar to the one reported in the WP GDPR Compliance plugin.

Security researchers have identified a second security flaw in the Accelerated Mobile Pages (AMP) for WP WordPress plugin. The plugin is installed on more than 100,000 WordPress sites and can allow attackers to gain administrative access to a site.

The vulnerability came into light last week after WebARX, a web security firm, published a proof-of-concept (PoC) on the exploitation process. However, the actual vulnerability was identified by a WordPress plugin developer, Sybre Waaijer, who later reported the issue to the WordPress plugin team in mid-October.

According to the WordPress security firm, Wordfence, the vulnerability is identified as a cross-site scripting (XSS) flaw and the exploitation process is very similar to the one reported in the WP GDPR Compliance plugin.

In this campaign, attackers scan the web for vulnerable sites using the AMP for the WP plugin and later use the XSS vulnerability to inject malicious JavaScript code in various parts of the sites. This enables them to gain administrative level access to those sections on the site.

The malicious code allows attackers to create a new administrator account named ‘supportuser’. In addition to the creation of a rogue admin account, the script allows attackers to inject backdoors into an affected site’s plugins.

Fixing the issue

Defiant’s security team suggested that uses should implement content security policy (CSP) as a possible mitigation solution to such attacks. Researchers also advised users to update their site’s software to the latest version. A fix to the issue is available in the updated version of AMP for WP i.e 0.9.97.20.

Cyware Publisher

Publisher

Cyware