CVE-2026-0627

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) El plugin AMP for WP para WordPress es vulnerable a cross-site scripting almacenado a través de cargas de archivos SVG en todas las versiones hasta la 1.1.10, inclusive. Esto se debe a una sanitización insuficiente del contenido de los archivos SVG que solo elimina las etiquetas `

09 Jan 2026, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2026-01-09 09:15

Updated : 2026-06-17 10:11


NVD link : CVE-2026-0627

Mitre link : CVE-2026-0627

CVE.ORG link : CVE-2026-0627


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')