However, the actual vulnerability was discovered by a Dutch security researcher named Sybre Waaijer, who found and reported the issue to the maintainers of the WordPress Plugins repository in mid-October.
The vulnerability is similar to the one reported in the WP GDPR Compliance plugin, as attackers can use the plugin's vulnerable code to make site-wide changes to site options to which the plugin shouldn't have had access to.
But it appears that the publication of the proof-of-concept code last week had drawn hackers' attention to this largely unknown issue. Now, Defiant experts say, that hackers have incorporated this new vulnerability into a "sophisticated attack campaign."
The campaign is warranted of the "sophisticated" tag because hackers aren't just blindly abusing the AMP for WP vulnerability directly, but have combined it with another cross-site scripting (XSS) security bug.
Attackers scan the web for vulnerable sites using the AMP for WP plugin, use the XSS vulnerability to store malicious code in various parts of the sites, and wait for an admin user to access those site sections.
The campaign is in full force, Defiant warns, and WordPress site admins should update the AMP for WP plugin as soon as possible, and review if a new admin user account named "supportuuser" has appeared out of the blue in their site's backend.
WordPress 5.0 is out. Here's a tour of the new features!