WordPress Plugin Vulnerabilities

AMP for WP < 1.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload

Description

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.

Affects Plugins

Plugin icon
accelerated-mobile-pages
Fixed in 1.1.11

References

CVE
CVE-2026-0627
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
andrea bocchetti
Verified
No
WPVDB ID
f545c6fa-d50d-47de-9237-c81618d464de

Timeline

Publicly Published
2026-01-08 (about 4 months ago)
Added
2026-01-08 (about 4 months ago)
Last Updated
2026-01-09 (about 4 months ago)

Other

Published
Title
Published
2026-01-08
Title
Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2021-09-01
Title
Zoho CRM Lead Magnet < 1.7.2.9 - Admin+ Stored Cross-Site Scripting
Published
2025-02-02
Title
User Role <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-05-01
Title
Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder < 2.5.4 - Contrib+ DOM-Based Cross-Site Scripting
Published
2016-04-26
Title
Gnucommerce < 0.5.7-beta - XSS