Code injection in AMP plugin for WordPress



Published: 2018-11-15
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-94
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		Accelerated Mobile Pages
Web applications / Modules and components for CMS

Vendor AMP Project

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Code injection

EUVDB-ID: #VU15912

Risk: Low

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote low-privileged attacker to inject malicious code on the targeted website.

The weakness exists in the ampforwp_save_steps_data which is called to save settings during the installation wizard that's been registered wp_ajax_ampforwp_save_installer ajax hook due to insufficient validation of user-supplied input. A remote attacker can supply a specially crafted input to inject arbitrary code on AMP pages.

Mitigation

Update to version 0.9.97.20.

Vulnerable software versions

Accelerated Mobile Pages: before 0.9.97.20

External links

http://www.webarxsecurity.com/amp-plugin-vulnerability/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###