Vital AMP for WP Plugin Weakness Allows Any User to Gain Admin Rights

A recent critical WordPress plugin weakness has been identified that might let site users increase rights to admin level, providing them with the capability to add custom code to a vulnerable website or upload malware. The vulnerabilities is in the AMP for WP plugin, a trendy plugin that changes standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has over 100,000 active users.

Although the plugin was expected to carry out checks to decide whether a particular user is allowed to carry out certain administrative jobs, inadequate checks were carried out to confirm the existing user’s account permissions. As a consequence, any user, including a user listed on the site to submit remarks, might gain admin rights to the site.

The vulnerability was found by WordPress plugin developer Sybre Waaijer who clarified that the vulnerability would let any user read and download files, upload files, modify plugin settings, insert HTML content into posts, or load malware such as a cryptocurrency miner or install malevolent JavaScript. Although there were some safety checks carried out, in most instances unauthenticated users might easily carry out illegal activities on a site with the vulnerable plugin installed.

As per web safety company WebARX, the vulnrability is present in the ampforwp_save_steps_data hook – An Ajax hook that can be called by all listed users on a site. As insufficient checks are carried out to confirm the account role of the user when the hook is called, any site user can use the functions.

The vulnrability has been rectified in version 0.9.97.20 of AMP for WP. The update is being pushed out automatically to all sites with the plugin installed.

The new variety of the plugin includes a check of the wpnonce value to decide whether the user is accredited to update plugin settings. Updates will only be allowed if the user has admin rights.