Description
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
Published: 2026-01-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting via malicious SVG uploads
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows authenticated users with Contributor or higher privilege to upload specially crafted SVG files that are stored and later displayed to other visitors. Because the plugin only strips &lt;script&gt; tags, it fails to remove event handlers (onload, onerror, onmouseover), foreignObject elements and animation attributes, which serve as additional XSS vectors. When a victim opens the uploaded SVG, the malicious script runs in the victim’s browser, enabling script exploitation that can steal session cookies, deface content or launch further attacks, thereby compromising the confidentiality and integrity of the site.

Affected Systems

The affected product is the AMP for WP – Accelerated Mobile Pages plugin for WordPress, as distributed by mohammed_kaludi. All releases up to and including version 1.1.10 are vulnerable. Users running any of these versions on a WordPress installation should consider this plugin to be at risk.

Risk and Exploitability

The CVSSv3.1 score of 6.4 indicates a medium to high severity. The EPSS score is below 1%, suggesting exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because it requires only a Contributor‑level account—a role that many sites grant to legitimate content editors—the risk of exploitation remains serious. An attacker can exploit the flaw by authenticating with a Contributor or administrator account, uploading a crafted SVG file, and then relying on the file’s public display to trigger the script in any user who views it.

Generated by OpenCVE AI on April 15, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AMP for WP plugin to the latest release that applies comprehensive SVG sanitization.
  • If an update is unavailable, disable the SVG upload functionality for all non‑administrator roles or uninstall the plugin entirely if it is not essential.
  • Enable strict MIME type checking and server‑side sanitization for uploaded SVG content, blocking event handler attributes and foreignObject elements.
  • Install a dedicated SVG sanitization plugin such as SVG Support configured with sanitization enabled, or configure your web server to store uploaded SVG files outside the public document root.

Generated by OpenCVE AI on April 15, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Mohammed Kaludi
Mohammed Kaludi amp For Wp
Wordpress
Wordpress wordpress
Vendors & Products Mohammed Kaludi
Mohammed Kaludi amp For Wp
Wordpress
Wordpress wordpress

Fri, 09 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
Title AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mohammed Kaludi Amp For Wp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:53.579Z

Reserved: 2026-01-05T22:04:46.579Z

Link: CVE-2026-0627

cve-icon Vulnrichment

Updated: 2026-01-09T18:03:27.188Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T09:15:47.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:15:12Z

Weaknesses