A security researcher has discovered a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website.

The vulnerable WordPress plugin in question is "AMP for WP – Accelerated Mobile Pages" that lets websites automatically generate valid accelerated mobile pages for their blog posts and other web pages.

AMP, stands for Accelerated Mobile Pages, is an open-source technology that has been designed by Google to allow websites build and server faster web pages to mobile visitors.

Though I am pretty sure the main version of "The Hacker News" website is enough fast for both desktop and mobile device users, you can also check the AMP version for this specific article here.

Out of hundreds of plugins that allows WordPress websites to create Google-optimised AMP pages, "AMP for WP" is the most popular among others with more than 100,000 installations.
Discovered by cybersecurity researcher Luka Sikic from web security firm WebARX, the reported code-injection vulnerability in the "AMP for WP" resides in the way this plugin handles WordPress AJAX hooks.

"The AMP plugin vulnerability is located in the ampforwp_save_steps_data which is called to save settings during the installation wizard. It's been registered as wp_ajax_ampforwp_save_installer ajax hook," Sikic says in a blog post published today.

"This particular plugin vulnerability is a critical issue for websites that allow user registration."

Under its settings, the plugin offers website administrators options to add advertisements and custom HTML/JavaScript code in the header or footer of an AMP page. To do this, the plugin uses WordPress' built-in /AJAX hooks functionality in the background.

Since every registered user on a WordPress site, even with the lowest privileges, are authorized to call AJAX hooks and also since the vulnerable plugin doesn't check if the account calling the AJAX hooks is admin or not, any user of the site can make use of this function to inject custom code.

As demonstrated by the researcher in a video, a low-privileged user can simply temper any request to call AJAX hooks and can submit malicious JavaScript code in the site.

Sikic reported the vulnerability to the AMP for WP plugin developers, who then addressed the issue with the release of its latest version 0.9.97.20.

"In the updated version, the plugin is checking for wpnonce value and check if logged in user can manage options," the researcher says.

If your WordPress website also uses the affected plugin, you are highly recommended to install the latest available security updates as soon as possible.

It's just 15th of this month, and a weakness in another popular WordPress plugin has been discovered affecting hundreds of thousands of websites out there.

Just last week, an arbitrary file deletion vulnerability was disclosed in the popular WooCommerce plugin that could have allowed a malicious or compromised privileged user to gain full control over the WordPress websites.