Accelerated Mobile Pages WordPress plugin, with over 100,000 installations, patched a medium severity vulnerability that could allow an attacker to inject malicious scripts to be executed by website visitors.

Cross-Site Scripting Via Shortcode

A cross-site scripting (XSS) is one of the most frequent kind of vulnerability. In the context of WordPress plugins, XSS vulnerabilities happen when a plugin has a way to input data that isn’t sufficiently secured by a process that validates or sanitizes user inputs.

Sanitization is a way to block unwanted kinds of input. For example, if a plugin allows a user to add text through an input field, then it should also sanitize anything else that is input into that form that doesn’t belong, like a script or a zip file.

A shortcode is a WordPress feature that allows users to insert a tag that looks like this [example] within posts and pages. Shortcodes embed functionalities or content that is provided by a plugin. This allows users to configure a plugin through an admin panel then copy and paste a shortcode into a post or page where they want the plugin functionality to appear.

A “cross-site scripting via shortcode” vulnerability is a security flaw that allows an attacker to inject malicious scripts into a website by exploiting the shortcode function of the plugin.

According to a report recently published by the Patchstack WordPress security company:

“This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

This vulnerability has been fixed in version 1.0.89.”

Wordfence describes the vulnerability:

“Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) in all versions up to, and including, 1.0.88.1 due to insufficient input sanitization and output escaping on user supplied attributes.”

Wordfence also clarifies that this is an authenticated vulnerability which for this specific exploit means that a hacker needs at least a contributor permission level in order to take advantage of the vulnerability.

This exploit is rated by Patchstack as a medium severity level vulnerability, scoring a 6.5 on a scale of 1-10 (with ten being the most severe).

It’s advised that users check their installations so that they are patched to at least version 1.0.89.

Read the Patchstack report here:
WordPress Accelerated Mobile Pages Plugin <= 1.0.88.1 is vulnerable to Cross Site Scripting (XSS)

Read the Wordfence announcement here:
Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Featured Image by Shutterstock/pedrorsfernandes

Source link

We all want to be satisfied, even though we know some people who will never be that way, and others who see satisfaction as a foreign emotion that they can’t hope to ever feel.

Newspaper Ads Canyon Crest CA

Click To See Full Page Ads

Click To See Half Page Ads

Click To See Quarter Page Ads

Click To See Business Card Size Ads

If you have questions before you order, give me a call @ 951-235-3518 or email @ canyoncrestnewspaper@gmail.com Like us on Facebook Here

You May Also Like

What should Google rank in Search when all the content sucks?

Many people have an incredibly low bar for what they consider to be “great” content that...

Google Search Wants To Reward The Best Content No Matter The Size Of The Site

For the past 20 years, probably even longer, the debate about Google giving preferential...

« Older Entries

0 Comments

Submit a Comment Cancel reply

Your email address will not be published. Required fields are marked *

Comment *

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

Submit Comment