At the start of last week news began to broke of a security exploit found inside a common WordPress plugin offering AMP version of your posts and pages. This particular security flaw could end up with any one of the 100 thousand active installations become the victim of any of its registered users gaining access to admin capabilities.
As of right now, the plugin has been updated (the security patch was released in version 0.9.97.20) and it is believed that the latest version of the plugin contains a patch that fixes the exploit. You can download the latest version of the plugin here.
In previous ‘unsafe’ versions of the plugin, it was discovered that there was a fundamental user capabilities check function missing when performing some tasks within the plugin’s AJAX functions.
So if you are firstly using the Accelerated Mobile Pages plugin (just to be clear, this is NOT the AMP plugin created by the WordPress team), then you are strongly urged if you haven’t already done so to upgrade to the latest version.