CVE-2026-0627
📋 TL;DR
The AMP for WP WordPress plugin has a stored cross-site scripting vulnerability in versions up to 1.1.10. Authenticated attackers with Author-level access can upload malicious SVG files containing XSS payloads that execute when viewed by other users. This affects all WordPress sites using vulnerable versions of the AMP for WP plugin.
💻 Affected Systems
- AMP for WP - Accelerated Mobile Pages
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with Author accounts inject malicious scripts to steal user session cookies, perform actions on behalf of users, or display phishing content.
If Mitigated
With proper user access controls and content security policies, impact is limited to isolated user sessions without privilege escalation.
🎯 Exploit Status
Exploitation requires Author-level access. SVG XSS techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.11 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'AMP for WP - Accelerated Mobile Pages'. 4. Click 'Update Now' if available, or download version 1.1.11+ from WordPress repository. 5. Replace plugin files with patched version.
🔧 Temporary Workarounds
Disable SVG uploads via .htaccess
linuxBlock SVG file uploads at web server level
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
Restrict user roles
allLimit Author and above roles to trusted users only
🧯 If You Can't Patch
- Temporarily disable the AMP for WP plugin until patched
- Implement Content Security Policy headers to restrict script execution from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for AMP for WP version. If version is 1.1.10 or lower, you are vulnerable.Check Version:
wp plugin list --name='AMP for WP' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.1.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads by Author-level users
- Multiple failed SVG upload attempts
- User agents with SVG-related exploit strings
Network Indicators:
- POST requests to /wp-admin/async-upload.php with SVG files
- Requests to uploaded SVG files with suspicious parameters
SIEM Query:
source="wordpress.log" AND ("uploaded.*svg" OR "async-upload.php") AND user_role="author"🔗 References
- https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373
- https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373
- https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181&old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve
