Critical WordPress Flaw Grants Admin Access to Any Registered Site User

[silversurfer]

Another day, another critical WordPress plugin vulnerability. The popular AMP for WP plugin, which helps WordPress sites load faster on mobile browsers, has a privilege-escalation flaw that allows WordPress site users of any level to make administrative changes to a website.

The plugin, which has over 100,000 active installs according to its webpage, adds support for Google’s mobile site acceleration tool, dubbed Google Accelerated Mobile Pages (AMP). Researchers at WebARX Security discovered that the plugin didn’t include a check to verify the account permissions of the currently logged in user. In turn, that lack of permission verification opens up admin
API access to anyone with a login for a site.

API calls are carried out using the Ajax development framework, they’re essentially “hooks” used by site administrators to interact with the third-party and external functions they need to manage their site.

“In WordPress plugin development, you have the ability to register Ajax hooks which allows you to call functions directly,” the WebARX team explained, in a posting on Thursday. “The main problem with this approach is that every registered user (regardless of account role) can call Ajax hooks. If the called hook doesn’t check for account role, every user can make use of those functions.”

Source: https://threatpost.com/critical-wordpres...er/139162/