CVE-2024-1043 in AMP for WP Plugin
Summary
by MITRE • 02/29/2024
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'amppb_remove_saved_layout_data' function in all versions up to, and including, 1.0.93.1. This makes it possible for authenticated attackers, with contributor access and above, to delete arbitrary posts on the site.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-1043 affects the AMP for WP – Accelerated Mobile Pages plugin for WordPress, specifically targeting versions up to and including 1.0.93.1. This security flaw represents a critical authorization bypass issue that undermines the plugin's data integrity protections. The vulnerability stems from a fundamental missing capability check within the 'amppb_remove_saved_layout_data' function, which operates without proper access controls despite handling sensitive data operations. The absence of proper authentication verification creates a pathway for malicious actors to exploit the system's trust model and execute unauthorized data deletion operations. This particular vulnerability is particularly concerning because it targets users with contributor-level access or higher, which represents a significant privilege escalation vector within WordPress's user role hierarchy.
The technical implementation of this vulnerability manifests through the inadequate validation of user permissions within the plugin's administrative functions. When an authenticated user with contributor privileges attempts to invoke the 'amppb_remove_saved_layout_data' endpoint, the system fails to verify whether the user possesses the necessary authorization to perform data deletion operations. This missing capability check creates a direct attack surface where malicious users can leverage their existing permissions to execute destructive actions beyond their intended scope. The flaw operates at the application logic level, specifically within the plugin's data handling mechanisms, where proper access control enforcement should have been implemented but was omitted. According to CWE classification, this vulnerability maps to CWE-284: Improper Access Control, which specifically addresses insufficient access control mechanisms that allow unauthorized users to perform privileged operations. The vulnerability's impact is amplified by the fact that it affects a widely used WordPress plugin, potentially exposing numerous websites to unauthorized data manipulation.
The operational consequences of this vulnerability extend beyond simple data loss, creating a broader threat landscape for affected WordPress installations. An attacker with contributor-level access can leverage this vulnerability to delete arbitrary posts, which may include critical content, user-generated material, or sensitive business information. This capability undermines the integrity of the content management system and can lead to significant business disruption, reputation damage, and potential compliance violations. The vulnerability's exploitation requires minimal privileges, making it particularly dangerous in environments where contributor accounts may be more frequently compromised or where multiple users have elevated access rights. From an ATT&CK framework perspective, this vulnerability aligns with techniques such as T1078: Valid Accounts and T1485: Data Destruction, where attackers use legitimate credentials to perform unauthorized destructive actions. The ability to delete posts represents a form of data destruction that can be particularly damaging to website operations and user trust.
Mitigation strategies for CVE-2024-1043 should prioritize immediate plugin updates to versions that address the missing capability check. System administrators must ensure that all instances of the AMP for WP plugin are updated to the latest release that includes proper access control enforcement. Additionally, implementing network-level monitoring and logging of administrative API calls can help detect unauthorized access attempts and provide forensic evidence of potential exploitation. Security teams should also consider implementing role-based access controls that limit the privileges of contributor accounts and enforce the principle of least privilege. Organizations should conduct thorough vulnerability assessments to identify all instances of the affected plugin and verify that proper access controls have been implemented. The remediation process should include comprehensive testing to ensure that the updated plugin functions correctly without introducing regressions. Regular security audits and penetration testing should be conducted to identify similar access control vulnerabilities in other plugins and themes. Implementing web application firewalls and security monitoring solutions can provide additional layers of protection against exploitation attempts and help maintain the integrity of WordPress installations.