{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0627", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-05T22:04:46.579Z", "datePublished": "2026-01-09T08:20:46.258Z", "dateUpdated": "2026-04-08T16:51:53.579Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:53.579Z"}, "affected": [{"vendor": "mohammed_kaludi", "product": "AMP for WP \u2013 Accelerated Mobile Pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file."}], "title": "AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373"}, {"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373"}, {"url": "https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181&old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "timeline": [{"time": "2026-01-08T19:34:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T18:03:23.177288Z", "id": "CVE-2026-0627", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:03:30.677Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0627", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T18:03:23.177288Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:03:27.188Z"}}], "cna": {"title": "AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload", "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mohammed_kaludi", "product": "AMP for WP \u2013 Accelerated Mobile Pages", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-08T19:34:15.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373"}, {"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373"}, {"url": "https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181&old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php"}], "descriptions": [{"lang": "en", "value": "The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-09T08:20:46.258Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0627", "state": "PUBLISHED", "dateUpdated": "2026-01-09T18:03:30.677Z", "dateReserved": "2026-01-05T22:04:46.579Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T08:20:46.258Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file."}, {"lang": "es", "value": "El plugin AMP for WP para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de cargas de archivos SVG en todas las versiones hasta la 1.1.10, inclusive. Esto se debe a una sanitizaci\u00f3n insuficiente del contenido de los archivos SVG que solo elimina las etiquetas `"}], "id": "CVE-2026-0627", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T09:15:47.883", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181&old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:14:01.703460+00:00", "value": {"mitigation_remediation": ["Update the AMP for WP plugin to the latest release that applies comprehensive SVG sanitization.", "If an update is unavailable, disable the SVG upload functionality for all non\u2011administrator roles or uninstall the plugin entirely if it is not essential.", "Enable strict MIME type checking and server\u2011side sanitization for uploaded SVG content, blocking event handler attributes and foreignObject elements.", "Install a dedicated SVG sanitization plugin such as SVG Support configured with sanitization enabled, or configure your web server to store uploaded SVG files outside the public document root."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross-Site Scripting via malicious SVG uploads"}, "threat_synthesis": {"affected_systems": "The affected product is the AMP for WP \u2013 Accelerated Mobile Pages plugin for WordPress, as distributed by mohammed_kaludi. All releases up to and including version 1.1.10 are vulnerable. Users running any of these versions on a WordPress installation should consider this plugin to be at risk.", "description_and_impact": "This vulnerability allows authenticated users with Contributor or higher privilege to upload specially crafted SVG files that are stored and later displayed to other visitors. Because the plugin only strips &lt;script&gt; tags, it fails to remove event handlers (onload, onerror, onmouseover), foreignObject elements and animation attributes, which serve as additional XSS vectors. When a victim opens the uploaded SVG, the malicious script runs in the victim\u2019s browser, enabling script exploitation that can steal session cookies, deface content or launch further attacks, thereby compromising the confidentiality and integrity of the site.", "risk_and_exploitability": "The CVSSv3.1 score of 6.4 indicates a medium to high severity. The EPSS score is below 1%, suggesting exploitation is currently unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, because it requires only a Contributor\u2011level account\u2014a role that many sites grant to legitimate content editors\u2014the risk of exploitation remains serious. An attacker can exploit the flaw by authenticating with a Contributor or administrator account, uploading a crafted SVG file, and then relying on the file\u2019s public display to trigger the script in any user who views it."}}}}, "created": "2026-01-09T13:23:53.898856+00:00", "updated": "2026-04-15T19:15:12.084324+00:00", "vendors": ["mohammed_kaludi", "mohammed_kaludi$PRODUCT$amp_for_wp", "wordpress", "wordpress$PRODUCT$wordpress"]}