A top AMP plugin for WordPress, AMP for WP, has released a patch for a critical security vulnerability.
AMP for WP, which currently has 100,000+ downloads, was pulled from the official WordPress.org plugins section last month.
It has since reappeared as of last week.
The developer says the reason it was pulled was due to a security flow that “could be exploited by non-admins of the site.”
That type of flaw means non-admins could manipulate the plugin settings to place ads, add custom HTML in header or footer, or insert javascript malware.
Please note that this does not refer to the official Google-supported plugin, but it does have a significant number of users.
Downloading the Patch
If you’re one of the many WordPress users with this plugin installed it’s recommended that you download the patch.
Applying the patch is as simple as updating the plugin from your WordPress dashboard.
If you have automatic updates turned on then your plugin may already by patched. Otherwise you will have to update the plugin manually.