CVE-2024-6896
📋 TL;DR
The AMP for WordPress plugin versions up to 1.0.96.1 allows authenticated attackers with Author-level access or higher to upload malicious SVG files containing JavaScript. When these files are accessed by users, the scripts execute in their browsers, enabling persistent cross-site scripting attacks. This affects all WordPress sites using the vulnerable plugin versions.
💻 Affected Systems
- AMP for WP – Accelerated Mobile Pages WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with author accounts inject malicious scripts to steal user session cookies or credentials, potentially compromising user accounts.
If Mitigated
With proper user access controls and content security policies, impact is limited to isolated script execution without data exfiltration.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just uploading a malicious SVG file. Public proof-of-concept exists in vulnerability references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.96.2 or later
Vendor Advisory: https://wordpress.org/plugins/accelerated-mobile-pages/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'AMP for WP – Accelerated Mobile Pages'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.0.96.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable SVG uploads via .htaccess
linuxPrevent SVG file uploads at web server level
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
Restrict user roles
allLimit Author and higher privileged accounts to trusted users only
🧯 If You Can't Patch
- Temporarily disable the AMP for WP plugin until patching is possible
- Implement Content Security Policy (CSP) headers to restrict script execution from SVG files
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for AMP for WP version. If version is 1.0.96.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='AMP for WP' --field=version (if WP-CLI installed)Verify Fix Applied:
After update, verify plugin version shows 1.0.96.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads by Author-level users
- Multiple failed login attempts followed by SVG uploads
Network Indicators:
- Requests to SVG files with suspicious parameters
- Outbound connections to external domains from SVG file accesses
SIEM Query:
source="wordpress.log" AND (event="plugin_update" AND plugin_name="AMP for WP") OR (event="file_upload" AND file_extension="svg")🔗 References
- https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.0.96.1/templates/features.php#L7159
- https://plugins.trac.wordpress.org/changeset/3123278/
- https://wordpress.org/plugins/accelerated-mobile-pages/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b0a5fdb9-4e36-43ce-88ce-cd75bb1d1e25?source=cve
- https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.0.96.1/templates/features.php#L7159
- https://plugins.trac.wordpress.org/changeset/3123278/
- https://wordpress.org/plugins/accelerated-mobile-pages/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b0a5fdb9-4e36-43ce-88ce-cd75bb1d1e25?source=cve
