AMP for WP Vulnerability– Accelerated Mobile Pages – Authenticated Arbitrary Post Deletion via amppb_remove_saved_layout_data – CVE-2024-1043 |WordPress Plugin Vulnerability Report

Key Information:

  • Software Type: Plugin
  • Software Slug: accelerated-mobile-pages
  • Software Status: Active
  • Software Author: mohammed_kaludi
  • Software Downloads: 17,665,548
  • Active Installs: 100,000
  • Last Updated: February 13, 2024
  • Patched Versions: 1.0.93.2
  • Affected Versions: <= 1.0.93.1

Vulnerability Details:

  • Name: AMP for WP <= 1.0.93.1
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE: CVE-2024-1043
  • CVSS Score: 6.5
  • Publicly Published: February 6, 2024
  • Researcher: Sean Murphy
  • Description: The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'amppb_remove_saved_layout_data' function in all versions up to, and including, 1.0.93.1. This vulnerability allows authenticated attackers, with contributor access or higher, to delete arbitrary posts on the site.

Summary:

The AMP for WP – Accelerated Mobile Pages plugin for WordPress has a vulnerability in versions up to and including 1.0.93.1 that allows authenticated users with contributor-level access or higher to delete arbitrary posts due to a missing capability check in the 'amppb_remove_saved_layout_data' function. This vulnerability has been patched in version 1.0.93.2.

Detailed Overview:

Discovered by researcher Sean Murphy, this vulnerability poses a significant risk to WordPress sites using affected versions of the AMP for WP plugin. Attackers with at least contributor access can exploit this flaw to delete posts, potentially leading to unauthorized data loss and disruption of site content. The vulnerability underscores the importance of proper capability checks within plugin functions to prevent unauthorized actions. Remediation of this vulnerability involved adding appropriate capability checks to the affected function, ensuring that only users with the right permissions can perform sensitive actions.

Advice for Users:

Immediate Action: Users are strongly encouraged to update to version 1.0.93.2 or later to mitigate the risk associated with this vulnerability. Check for Signs of Vulnerability: Administrators should review their site's content for any unexpected deletions or alterations and examine user activity logs for unauthorized actions. Alternate Plugins: While the vulnerability has been patched, users may consider exploring alternative plugins offering similar functionality as a precautionary measure. Stay Updated: Maintaining the latest versions of all installed plugins is crucial in safeguarding WordPress sites against vulnerabilities.

Conclusion:

The swift action by the developers of the AMP for WP plugin to address this vulnerability highlights the critical importance of regular software updates. To protect their WordPress installations, users must ensure they are running version 1.0.93.2 or later of the AMP for WP plugin.

References:

In the digital realm where the pace of change is relentless, the security of your website cannot be overstated. The recent discovery of a significant vulnerability in the AMP for WP – Accelerated Mobile Pages plugin serves as a critical reminder of the importance of keeping your WordPress site up-to-date. Known as CVE-2024-1043, this vulnerability highlights a stark reality: in the world of cyber threats, complacency can have costly consequences.

The AMP for WP Plugin: A Cornerstone for Mobile Optimization

The AMP for WP plugin is designed to enhance the mobile browsing experience, making it a popular choice for over 100,000 WordPress sites. Developed by Mohammed Kaludi, the plugin has seen more than 17 million downloads, a testament to its widespread adoption and utility in creating fast, efficient mobile pages.

Unveiling the Vulnerability: CVE-2024-1043

Discovered by researcher Sean Murphy, the CVE-2024-1043 vulnerability lies in a missing capability check within the 'amppb_remove_saved_layout_data' function. This flaw allows authenticated users with contributor-level access or higher to delete arbitrary posts, posing a significant risk to the integrity and availability of site content. With a CVSS score of 6.5, the vulnerability underscores the need for rigorous security checks and balances within plugin functionalities.

Risks and Potential Impacts

The vulnerability presents a clear and present danger to WordPress sites using affected versions of the plugin, leading to potential unauthorized data loss and content disruption. For small business owners, such incidents can translate into lost revenue, eroded customer trust, and significant remediation costs.

Remediating the Vulnerability

The developers have promptly addressed the vulnerability in version 1.0.93.2 of the plugin. Users are urged to update to this patched version immediately to safeguard their sites against potential exploitation. Additionally, site administrators should review content and user activity logs for signs of unauthorized actions, ensuring no adverse impacts have occurred.

A History of Vulnerabilities

This is not the first time vulnerabilities have been identified in the AMP for WP plugin. With seven vulnerabilities reported since October 20, 2018, the plugin's history underscores the ongoing battle against cyber threats and the critical importance of maintaining up-to-date software.

The Imperative of Vigilance

For small business owners juggling myriad responsibilities, staying abreast of every security update can seem daunting. However, the digital security of your business is not just an IT concern; it's a foundational aspect of your business's integrity and reliability. Leveraging managed WordPress hosting services, employing reputable security plugins, and engaging in regular site audits can significantly reduce your vulnerability to cyber threats.

Conclusion: The Non-Negotiable Priority of Security

The revelation of CVE-2024-1043 in the AMP for WP plugin serves as a stark reminder of the ever-present cyber threats lurking in the digital shadows. For small business owners, the incident reinforces the non-negotiable priority of website security. Staying informed, vigilant, and proactive in updating and securing your WordPress site is not just best practice—it's a critical defense mechanism in safeguarding your digital presence, your brand, and your customer's trust.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

AMP for WP Vulnerability– Accelerated Mobile Pages – Authenticated Arbitrary Post Deletion via amppb_remove_saved_layout_data – CVE-2024-1043 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment