CVE-2024-1043

MEDIUM

Ampforwp Accelerated Mobile Pages < 1.0.93.2 - Missing Authorization

Title source: rule

Description

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'amppb_remove_saved_layout_data' function in all versions up to, and including, 1.0.93.1. This makes it possible for authenticated attackers, with contributor access and above, to delete arbitrary posts on the site.

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.0.93.1/pagebuilder/inc/adminAjaxContents.php#L134

Patch

https://plugins.trac.wordpress.org/changeset/3030425/accelerated-mobile-pages/tags/1.0.93.2/pagebuilder/inc/adminAjaxContents.php?old=3025105&old_path=accelerated-mobile-pages%2Ftags%2F1.0.93.1%2Fpagebuilder%2Finc%2FadminAjaxContents.php

Product

https://wordpress.org/plugins/accelerated-mobile-pages/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/ffb70e82-355b-48f3-92d0-19659ed2550e?source=cve

Scores

CVSS v3 6.5

EPSS 0.0066

EPSS Percentile 46.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-862

Status published

Products (2)

ampforwp/accelerated_mobile_pages < 1.0.93.2

mohammed_kaludi/AMP for WP – Accelerated Mobile Pages < 1.0.93.1

Published Feb 29, 2024

Tracked Since Feb 18, 2026