sybrew/Security review request: AMP for WP - Accelerated Mobile Pages.txt Secret

## Security review request: AMP for WP - Accelerated Mobile Pages.txt
Hi there!

The plugin URI: https://wordpress.org/plugins/accelerated-mobile-pages/

As I was trying to incorporate compatibility for the plugin, I found several actionable hooks that allow users to do any of the following:
a)	Users can download/read any file.
b)	Users can upload files.
c)	Users can exploit wp_remote_*() with self-set URLs.
d)	Users can update the plugin’s settings.
e)	Users can update post meta.
f)	Users can download the complete Media library by supplying a random array of IDs.
g)	Users can inject Posts.

All this can be done with merely a WordPress subscriber/visitor/commenter account.

Unfortunately, I don’t have the time to forge examples. Please look at these hooks to evaluate my assessments:
1.	wp_ajax_ampforwp_get_licence_activate_update
2.	wp_ajax_ampforwp_deactivate_license
3.	wp_ajax_ampforwp_save_installer
4.	wp_ajax_amppb_export_layout_data
5.	wp_ajax_amppb_save_layout_data
6.	wp_ajax_ampforwp_get_image

These hooks lack nonce and current_user_can() verifications, and wp_ajax_* actions only require the user to be logged in.

Other issues I’ve found are:
1.	In the past I found that editors could potentially XSS the site. I fixed that for them, but they’ve since reverted it to add more features. There’s a consistent lack of escaping output, although WordPress prevents most of this being exploited via the unfiltered_html capability, I still believe this should be investigated.
2.	The ../templates/instant-articles/instant-article-sanitizer.php file contains various simple, nonprefixed functions.
3.	The ../pagebuilder/amp-page-builder.php file contains a useless non-limiting definition check on line 2. This is nitpicking, as it’ll only generate PHP errors starting at line 7. But it creates a false sense of direct-calling security.
4.	You’ll also find a carbon-copy of the https://wordpress.org/plugins/amp/ plugin at version 0.4.2 in ../includes/vendor/amp.
5.	In ../includes/modules-upgrade.php you’ll find non-standard functionality that downloads and installs plugins. Albeit only downloading from the WordPress.org repository, this will break a non-standard WP site easily, i.e. when WP_CONTENT_DIR is altered.

I couldn’t find the time to do more scrutinizing, but I think fixing these issues are a great step in the right direction.

I admire the authors for adding so many features in such a short time, but I think they should evaluate the security and integrity while doing so.

Kind regards,
Sybre Waaijer
	Hi there!

	The plugin URI: https://wordpress.org/plugins/accelerated-mobile-pages/

	As I was trying to incorporate compatibility for the plugin, I found several actionable hooks that allow users to do any of the following:
	a) Users can download/read any file.
	b) Users can upload files.
	c) Users can exploit wp_remote_*() with self-set URLs.
	d) Users can update the plugin’s settings.
	e) Users can update post meta.
	f) Users can download the complete Media library by supplying a random array of IDs.
	g) Users can inject Posts.

	All this can be done with merely a WordPress subscriber/visitor/commenter account.

	Unfortunately, I don’t have the time to forge examples. Please look at these hooks to evaluate my assessments:
	1. wp_ajax_ampforwp_get_licence_activate_update
	2. wp_ajax_ampforwp_deactivate_license
	3. wp_ajax_ampforwp_save_installer
	4. wp_ajax_amppb_export_layout_data
	5. wp_ajax_amppb_save_layout_data
	6. wp_ajax_ampforwp_get_image

	These hooks lack nonce and current_user_can() verifications, and wp_ajax_* actions only require the user to be logged in.

	Other issues I’ve found are:
	1. In the past I found that editors could potentially XSS the site. I fixed that for them, but they’ve since reverted it to add more features. There’s a consistent lack of escaping output, although WordPress prevents most of this being exploited via the unfiltered_html capability, I still believe this should be investigated.
	2. The ../templates/instant-articles/instant-article-sanitizer.php file contains various simple, nonprefixed functions.
	3. The ../pagebuilder/amp-page-builder.php file contains a useless non-limiting definition check on line 2. This is nitpicking, as it’ll only generate PHP errors starting at line 7. But it creates a false sense of direct-calling security.
	4. You’ll also find a carbon-copy of the https://wordpress.org/plugins/amp/ plugin at version 0.4.2 in ../includes/vendor/amp.
	5. In ../includes/modules-upgrade.php you’ll find non-standard functionality that downloads and installs plugins. Albeit only downloading from the WordPress.org repository, this will break a non-standard WP site easily, i.e. when WP_CONTENT_DIR is altered.

	I couldn’t find the time to do more scrutinizing, but I think fixing these issues are a great step in the right direction.

	I admire the authors for adding so many features in such a short time, but I think they should evaluate the security and integrity while doing so.

	Kind regards,
	Sybre Waaijer