Reflected Cross-Site Scripting Vulnerability in AMP for WP Plugin by WordPress
CVE-2024-0587

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
AMP for WP – Accelerated Mobile Pages
Vendor
CVE Published:
23 January 2024

Summary

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is susceptible to reflected cross-site scripting due to inadequate input sanitization and output escaping specifically related to the 'disqus_name' parameter. This vulnerability can allow unauthenticated attackers to inject malicious scripts into web pages. If a user is deceived into clicking a compromised link, it can lead to the execution of arbitrary JavaScript on the site, potentially compromising sensitive information and user sessions.

Affected Version(s)

AMP for WP – Accelerated Mobile Pages * <= 1.0.92.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3024147/acce...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthew Rollings
.