WordPress Plugin 'AMP for WP - Accelerated Mobile Pages' < 0.9.97.20 Multiple Vulnerabilities

medium Nessus Plugin ID 118977

Synopsis

The remote WordPress application has a plugin installed that is affected by multiple vulnerabilities.

Description

The WordPress application running on the remote host has a version of the 'AMP for WP - Accelerated Mobile Pages' plugin that is prior to 0.9.97.20 and, thus, is affected by multiple vulnerabilities. The most severe of which would allow a low level user to modify any request to call AJAX hooks and insert malicious code into a site. The patched version also corrects flaws for cross-site scripting (XSS) vulnerabilities as well as other precautionary fixes.

Solution

Update the 'AMP for WP - Accelerated Mobile Pages' plugin to version 0.9.97.20 or later through the administrative dashboard.

See Also

https://www.webarxsecurity.com/amp-plugin-vulnerability/

https://thehackernews.com/2018/11/amp-plugin-for-WordPress.html

https://wordpress.org/plugins/accelerated-mobile-pages/

https://ampforwp.com/0-9-97-20-released-stability-update/

Plugin Details

Severity: Medium

ID: 118977

File Name: wordpress_plugin_accelerated-mobile-pages_0_9_97_20.nasl

Version: 1.2

Type: remote

Family: CGI abuses

Published: 11/15/2018

Updated: 11/16/2018

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score based on analysis of the vendor advisory.

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Required KB Items: installed_sw/WordPress, www/PHP

Patch Publication Date: 10/29/2018

Vulnerability Publication Date: 11/15/2018