Breach in Popular Plugin Again Used to Hack WordPress Sites

Just a week ago, Defiant analysts told about a dangerous vulnerability in the popular WP GDPR Compliance plugin, installed over 100,000 times. The bug allows attackers to access one of the internal functions of the plugin and change the settings not only of the plugin itself, but of the entire CMS in general, by creating a new administrator account in the system.

Now a very similar problem is being exploited in another popular solution, the AMP plugin for WordPress. A vulnerability in this product was discovered at the end of October, due to which the plugin was even

excluded from the official repository more than for a week. After the developers released version 0.9.97.20, in which the vulnerability was fixed.

The bug is very similar to the issue in WP GDPR Compliance. The vulnerability also allows any logged-in user to perform actions that would normally require administrative privileges.

PoC exploit appeared last week, but now WordFence specialists warn that attackers are combining exploitation of this problem with an XSS vulnerability. The combination of these bugs allows hackers to create a new user (usually called supportuuser) with administrator rights and access the code editor of other plugins, which is used to inject backdoors into the site (in case supportuuser is removed). Experts are urging AMP for WordPress users to update as soon as possible, and to check the system for compromises (at least by looking for the supportuuser profile and, if necessary, deleting it).