WordPress Plugin Vulnerability Report – AMP for WP – Accelerated Mobile Pages – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-48321

Plugin Name: AMP for WP – Accelerated Mobile Pages

Key Information:

  • Software Type: Plugin
  • Software Slug: accelerated-mobile-pages
  • Software Status: Active
  • Software Author: mohammed_kaludi
  • Software Downloads: 17,408,260
  • Active Installs: 100,000
  • Last Updated: November 28, 2023
  • Patched Versions: 1.0.89
  • Affected Versions: <=

Vulnerability Details:

  • Name: Accelerated Mobile Pages <= - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-48321
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: November 28, 2023
  • Researcher: Ngô Thiên An
  • Description: The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The AMP for WP – Accelerated Mobile Pages plugin for WordPress has a vulnerability in versions up to and including that allows authenticated users with Contributor+ permissions to conduct stored cross-site scripting attacks via shortcodes. This vulnerability has been patched in version 1.0.89.

Detailed Overview:

Researcher Ngô Thiên An discovered that the AMP plugin does not properly sanitize user input from shortcode attributes before outputting it. By inserting malicious scripts into a shortcode that is displayed on a page, an attacker can store their payload so that it executes whenever a user views the compromised page. This could be used for session hijacking, site defacement, phishing users for sensitive information and more. The vulnerability impacts over 17 million plugin downloads and 100,000+ active WordPress site installations. Users should update immediately to version 1.0.89 which contains the fix.

Advice for Users:

  1. Immediate Action: Update the AMP plugin to version 1.0.89 as soon as possible.
  2. Check for Signs of Vulnerability: Review pages and posts for unexpected scripts or iframes which could signal an attack. Also check for unauthorized admin accounts.
  3. Alternate Plugins: Consider alternative mobile experience plugins like WPtouch until more is known about this issue.
  4. Stay Updated: Enable automatic updates for plugins if available or routinely check for new releases.


The developer has addressed this vulnerability quickly by releasing version 1.0.89. Users should upgrade immediately to protect their sites from potential stored XSS attacks targeting site visitors and admins. Proper input sanitization remains an essential theme when developing plugins.




Detailed Report:

Keeping your WordPress website secure requires constant vigilance - from strong passwords to routine updates. Unfortunately, too often website owners put off those minor version bumps only to regret it later. Case in point: a serious vulnerability recently disclosed in a very popular WordPress plugin, the AMP plugin, installed on over 100,000 sites.

The AMP (Accelerated Mobile Pages) plugin optimizes WordPress sites for fast loading and great visibility on mobile devices. It improves page speed dramatically. The plugin has over 17 million downloads and powers mobile experiences on hundreds of thousands of WordPress sites.

Recently, researcher Ngô Thiên An discovered a flaw in the plugin that allows authenticated users with minimal permissions to conduct stored cross-site scripting (XSS) attacks. By inserting malicious scripts via shortcodes, an attacker could hijack sessions, install backdoors, steal data, and deface sites. This impacts all AMP plugin versions up to and including

The risks of this vulnerability are serious for small business owners relying on WordPress sites. A successful XSS attack can lead to customer data theft, wiped servers, stolen financial information, complete site destruction, and lasting Google penalties. Attackers can hide their activities for months before being detected.

Updating to version 1.0.89 patches the security flaw. Users should update immediately if running an older version. As a precaution, check your site for unauthorized admin accounts, changed permissions, or unexpected scripts/iframes indicating previous compromise. Alternatives like WPtouch may be worth evaluating.

This marks the 4th vulnerability found in the AMP plugin since October 2018. The popularity of the plugin makes it an enticing target. Some estimate XSS flaws account for over 65% of WordPress vulnerabilities reported annually.

For small business owners running on WordPress, this incident highlights why timely plugin updates are non-negotiable. While staying current with site maintenance can get pushed down the priority list, falling behind only opens the door to potential disaster. Protecting your livelihood with a few minutes of attention upfront is worth it.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

WordPress Plugin Vulnerability Report – AMP for WP – Accelerated Mobile Pages – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-48321 FAQs

Leave a Comment