CVE-2023-48321: AMP Plugin Vulnerability Affects Over 100,000 Sites

The Accelerated Mobile Pages (AMP) plugin for WordPress, utilized by over 100,000 websites, has recently rectified a vulnerability that allowed a malefactor to implant malicious scripts. These scripts would activate upon a site being visited by users.

This issue stemmed from a susceptibility to cross-site scripting (XSS) via shortcodes (CVE-2023-48321, CVSS: 6.5). In WordPress, plugins can encounter such vulnerabilities if they fail to adequately verify or cleanse user data of superfluous elements.

Data sanitization refers to the process of blocking or filtering undesirable data types. For instance, a plugin might allow text to be added through an input field but fails to filter other types of data, like scripts or ZIP files.

Shortcodes in WordPress are a feature enabling users to insert special tags ([example]) into the texts of posts and pages. These shortcodes activate certain plugin functions or content, simplifying plugin configuration through the administrative panel.

The identified vulnerability permitted attackers to insert malicious scripts onto a site via the plugin’s shortcode mechanism, potentially leading to automatic redirection or advertisement displays when users visit the site.

Cybersecurity firm Patchstack reported that the issue was resolved in plugin version 1.0.89. It is noted that versions up to 1.0.88.1 inclusively contained insufficient data sanitization and escaper, which led to the vulnerability.

Wordfence, a company specializing in WordPress security, highlights that exploiting the CVE-2023-48321 vulnerability requires the malefactor to possess rights at the level of a site contributor or higher. Users are advised to update the plugin to version 1.0.89 or later to ensure security.