CVE-2024-9598

Name of the Vulnerable Software and Affected Versions AMP for WP – Accelerated Mobile Pages plugin for WordPress versions up to, and including, 1.0.99.1

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the proxy function. This allows unauthenticated attackers to send the logged-in user's cookies to their own server via a forged request if they can trick a site administrator into performing an action such as clicking on a link.

Recommendations For versions up to, and including, 1.0.99.1, consider disabling the proxy function until a patch is available to prevent exploitation. Restrict access to the proxy function to minimize the risk of sending the logged-in user's cookies to unauthorized servers. Avoid using the proxy function in situations where a site administrator may be tricked into performing an action that could lead to a forged request.