Schema & Structured Data for WP & AMP < 1.50 – Unauthenticated Stored-XSS | CVE 2025-9512 | Plugin Vulnerabilities

Description

The plugin does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments.

Proof of Concept

1. Install and activate the `schema-and-structured-data-for-wp` plugin
2. As an unauthenticated user, create a comment with the following content: 
`Hello this is a totally normal comment. Check out this cool website: <a href='itemprop="' title="' tabindex=1 autofocus=1 onfocus=alert(1)//">stealthcopter</a>`
3. Once the comment is approved, the script will be executed on page load.

Affects Plugins

schema-and-structured-data-for-wp

Fixed in 1.50

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Matthew Rollings

Submitter

Matthew Rollings

Submitter website

https://sec.stealthcopter.com

Submitter twitter

Verified

Yes

WPVDB ID

e45d9335-3665-4155-abdf-9eeea250f1ba

Timeline

Publicly Published

2025-09-10 (about 3 months ago)

Added

2025-09-10 (about 3 months ago)

Last Updated

2025-09-10 (about 3 months ago)

Other

Published

Title

Published

2025-11-20

Title

EchBay Admin Security < 1.3.1 - Reflected Cross-Site Scripting

Published

2024-12-11

Title

WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more < 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-09-20

Title

ActiveHelper LiveHelp Server 3.1.0 - server/offline.php Multiple Parameter XSS

Published

2021-08-23

Title

Gallery Blocks with Lightbox < 2.2.1 - Authenticated Stored Cross-Site Scripting

Published

2024-04-16

Title

Cornerstone < 0.8.1 - Reflected Cross-Site Scripting via PHP_SELF