WordPress Plugin Vulnerabilities

Accelerated Mobile Pages < 0.9.97.21 - Stored XSS

Description

The AMP for WP – Accelerated Mobile Pages WordPress plugin was affected by a Stored XSS security vulnerability.

Affects Plugins

Plugin icon
accelerated-mobile-pages
Fixed in 0.9.97.21

References

CVE
CVE-2018-20838
URL
https://ampforwp.com/critical-security-issues-has-been-fixed-in-0-9-97-20-version/
URL
https://www.wordfence.com/blog/2018/11/xss-injection-campaign-exploits-wordpress-amp-plugin/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Verified
No
WPVDB ID
46b90ea0-df16-4af4-a6e9-fa5d6e702d15

Timeline

Publicly Published
2018-11-20 (about 7 years ago)
Added
2019-08-23 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2022-05-25
Title
Promotion Slider <= 3.3.4 - Contributor+ Stored Cross-Site Scripting
Published
2025-09-22
Title
WP Frontend Admin < 1.22.8 - Contributor+ Stored XSS
Published
2024-03-25
Title
Shortlinks by Pretty Links < 3.6.3 - Reflected Cross-Site Scripting via post_status
Published
2025-07-23
Title
Mine CloudVod < 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via audio Parameter
Published
2023-09-06
Title
Carrot <= 1.1.0 - Admin+ Stored XSS