Madiha Yaqoob
The WordPress AMP plugin, installed on over 100,000 sites, recently addressed a cross-site scripting (XSS) vulnerability, securing the platform against potential attacks where malicious scripts could be injected.
The vulnerability, considered of medium severity, was mitigated in version 1.0.89 of the Accelerated Mobile Pages WordPress plugin. XSS vulnerabilities are common in WordPress plugins when the input data lacks sufficient validation or sanitization processes.
Sanitization is crucial for blocking undesirable input types. For instance, if a plugin allows users to input text through a field, it should appropriately sanitize any input that deviates from expected content, such as scripts or compressed files.
What are shortcodes in WordPress?
In the context of WordPress, shortcodes are tags enclosed in brackets (e.g., [example]) that users can insert into posts or pages. These shortcodes embed plugin functionalities or content. Users typically configure a plugin in the admin panel and then insert a shortcode where they want the plugin’s features to appear.
The identified “cross-site scripting via shortcode” vulnerability enabled attackers to inject harmful scripts by exploiting the shortcode function of the plugin. Patchstack, a WordPress security company, noted in a recent report:
This could make it possible for a malicious actor to put malicious scripts—such as advertisements redirects and other HTML payloads into your website which viewers can view and use. Version 1.0.89 has been revised to address this vulnerability.
Wordfence, in its description of the vulnerability, explained that the Accelerated Mobile Pages plugin was susceptible to Stored Cross-Site Scripting via its shortcode(s) in all versions up to 1.0.88.1 due to inadequate input sanitization and output escaping on user-supplied attributes.
It’s important to note that this is an authenticated vulnerability, requiring at least contributor-level permissions for an attacker to exploit it. Patchstack assigned a medium severity level to this exploit, scoring it 6.5 on a scale of 1-10.
Users are strongly advised to ensure their installations are updated to at least version 1.0.89 to patch this vulnerability.
