Executive Summary

The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its AMP Custom CSS setting. This vulnerability exists in all versions up to and including 1.0.49. It occurs because the plugin does not properly sanitize or escape user-supplied input in the custom CSS field. As a result, an authenticated attacker with Administrator-level access or higher can inject malicious scripts into pages. These scripts execute whenever any user accesses the affected page. This vulnerability specifically affects multi-site WordPress installations or installations where the unfiltered_html capability is disabled.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with administrator privileges to inject arbitrary JavaScript code into AMP pages via the custom CSS setting. The injected scripts execute in the context of users visiting those pages, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of users. Since the vulnerability is stored, the malicious code persists and affects all users who view the compromised pages. This can undermine the security and trustworthiness of your WordPress site, especially in multi-site environments or where unfiltered HTML is disabled.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the AMP Enhancer plugin for WordPress is installed and running a version up to and including 1.0.49 on a multi-site installation or on a site where unfiltered_html is disabled.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored Cross-Site Scripting via the AMP Custom CSS setting, detection involves verifying if any malicious scripts have been injected into the AMP Custom CSS field by an authenticated administrator.'}, {'type': 'paragraph', 'content': "There are no specific network commands provided in the resources to detect this vulnerability. However, administrators can manually inspect the custom CSS stored in the WordPress database option 'ampenhancer_custom_css' for suspicious script tags or JavaScript code."}, {'type': 'list_item', 'content': 'Use WP-CLI to retrieve the custom CSS option: wp option get ampenhancer_custom_css'}, {'type': 'list_item', 'content': 'Manually review the output for any embedded <script> tags or suspicious JavaScript.'}, {'type': 'list_item', 'content': 'Check the plugin version installed to confirm if it is vulnerable (version ≤ 1.0.49).'}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the AMP Enhancer plugin to a version later than 1.0.49 where the vulnerability is fixed.

If updating is not immediately possible, restrict administrator-level access to trusted users only, since exploitation requires authenticated users with Administrator-level access.

Additionally, review and sanitize any custom CSS stored in the 'ampenhancer_custom_css' option to remove any injected scripts.

Consider enabling or enforcing input sanitization and output escaping on user-supplied attributes in the plugin's custom CSS settings if you have development resources.

Monitor your WordPress multisite installations closely for any suspicious activity related to the AMP Enhancer plugin.

Useful 0 Not Useful 0