Accelerated Mobile Pages WordPress plugin, with over 100,000 installations, patched a medium severity vulnerability that could allow an attacker to inject malicious scripts to be executed by website visitors.
Cross-Site Scripting Via Shortcode
A cross-site scripting (XSS) is one of the most frequent kind of vulnerability. In the context of WordPress plugins, XSS vulnerabilities happen when a plugin has a way to input data that isn’t sufficiently secured by a process that validates or sanitizes user inputs.
Sanitization is a way to block unwanted kinds of input. For example, if a plugin allows a user to add text through an input field, then it should also sanitize anything else that is input into that form that doesn’t belong, like a script or a zip file.
A shortcode is a WordPress feature that allows users to insert a tag that looks like this [example] within posts and pages. Shortcodes embed functionalities or content that is provided by a plugin. This allows users to configure a plugin through an admin panel then copy and paste a shortcode into a post or page where they want the plugin functionality to appear.
A “cross-site scripting via shortcode” vulnerability is a security flaw that allows an attacker to inject malicious scripts into a website by exploiting the shortcode function of the plugin.
According to a report recently published by the Patchstack WordPress security company:
“This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.
This vulnerability has been fixed in version 1.0.89.”
Wordfence describes the vulnerability: