This post is to explain the vulnerability reports that were reported on blogs, social media, and other news sites.
We have found out about the security loopholes in the plugin by WordPress.org team on 21st October 2018, that’s when they paused the delivery of the plugin until we fix them.
As soon as we received the details from the WP team, we started fixing the code and made sure that everything was according to the compliance of WordPress.org standards. The plugin was deeply reviewed by them and was made it live again on 13th November 2018 in the version 0.9.97.20.
After we pushed the update, we had written a post about it which explained the issues and the fixes that we have done.
A few days ago, security companies like WebARX & WordFence have written a blog post about this for the security research purpose. In that, they have a “proof of concept” which shows how hackers could use the security loopholes in the pre 0.9.97.20 version. The purpose of those reports was to learn from the mistakes and to educate others.
If you are using the AMPforWP version 0.9.97.20 or above, then you don’t need to worry about these issues at all. If you haven’t updated it then we recommend you to update it.
We have learned a lot from this and we are improving the overall security of the plugin. We are even considering to hire a security firm to audit the security of the plugin and help us secure it for you.
The guy who discovered the vulnerability Sybre Waaijer author of The SEO Framework plugin reported the issue on this thread and then after the issue was fixed he deleted those comments and mentioned that issue has been fixed.
Also, we have just pushed a followup update, that fixes some minor bugs reported after the security update.
AMPforWP security issue reported on GitHub was fixed.
What has been fixed in the recent update (0.9.97.21)?
- Fixed: Sanitation of user contents before saving #2679
- Fixed: Slide in menu not working in minimal blogging theme after 0.9.97.20 update #2667
- Fixed: Author bio does not show proper link #2674
- Fixed: HTML not being rendered on cookie consent notifications text #2671
- Fixed: Telephone link not working after 0.9.97.20 updated
Please do let us know if you need any other clarifications and as always, we are here for your feedback to improve ourselves and the plugin.