Stored Cross-Site Scripting Vulnerability in AMP for WP Plugin by WordPress
CVE-2023-6782

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
AMP for WP – Accelerated Mobile Pages
Vendor
CVE Published:
11 January 2024

Summary

The AMP for WP – Accelerated Mobile Pages plugin is prone to a vulnerability allowing authenticated attackers with contributor-level or higher permissions to exploit insufficient input sanitization and output escaping. By injecting arbitrary web scripts into the plugin's shortcodes, attackers can cause these scripts to execute whenever a user accesses the impacted pages, potentially compromising user data and site integrity.

Affected Version(s)

AMP for WP – Accelerated Mobile Pages * <= 1.0.92

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.svn.wordpress.org/accelerated-mobile-page...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ngô Thiên An
.