CVE-2026-0627

Name of the Vulnerable Software and Affected Versions AMP for WP plugin for WordPress versions prior to 1.1.11

Description The AMP for WP plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. Insufficient sanitization of SVG file content allows for the injection of malicious web scripts. Specifically, the sanitization process only removes <script> tags, while other XSS vectors, such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes, remain exploitable. Authenticated attackers with Author-level access or higher can upload malicious SVG files. These scripts execute whenever a user views the uploaded file.

Recommendations Update the AMP for WP plugin to version 1.1.11 or later.