CVE-2026-0627 is a stored cross-site scripting vulnerability identified in the AMP for WP – Accelerated Mobile Pages plugin for WordPress, affecting all versions up to and including 1.1.10. The vulnerability stems from insufficient sanitization of SVG file uploads. While the plugin removes <script> tags from uploaded SVG files, it fails to neutralize other XSS vectors such as event handler attributes (e.g., onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This incomplete sanitization allows authenticated users with Author-level privileges or higher to upload crafted SVG files containing malicious JavaScript code. When other users view these SVG files, the embedded scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (Author or above), no user interaction, and a scope change due to affecting other users. No public exploits have been reported yet, but the vulnerability poses a significant risk to multi-author WordPress sites using this plugin. The root cause is the reliance on simplistic sanitization that only removes <script> tags without addressing other SVG-based XSS attack vectors. This vulnerability highlights the complexity of safely handling SVG content, which can embed executable code in multiple ways beyond script tags. Until a patch is available, administrators should consider disabling SVG uploads or implementing more robust sanitization mechanisms. The vulnerability was published on January 9, 2026, and assigned by Wordfence.

For European organizations, especially those operating WordPress sites with multiple content authors or contributors, this vulnerability presents a tangible risk of cross-site scripting attacks that can compromise user sessions, steal credentials, or perform unauthorized actions on behalf of users. The stored nature of the XSS means that malicious payloads persist on the server and execute whenever the SVG file is viewed, potentially affecting administrators, editors, or site visitors. This can lead to reputational damage, data breaches, and disruption of web services. Organizations in sectors with high web presence such as media, e-commerce, education, and government are particularly vulnerable. The requirement for Author-level access limits exploitation to insiders or compromised accounts, but phishing or credential theft could facilitate this. The vulnerability does not affect availability but impacts confidentiality and integrity of user data and site content. Given the widespread use of WordPress and the AMP for WP plugin in Europe, the threat surface is significant. Attackers could leverage this vulnerability for targeted attacks against European entities or as part of broader campaigns.

1. Immediately restrict or disable SVG file uploads in the WordPress media library until a secure patch is available. 2. Implement server-side SVG sanitization using specialized libraries that comprehensively remove all executable content, including event handlers, foreignObject elements, and animation attributes, not just <script> tags. 3. Enforce strict user role management to limit Author-level privileges only to trusted users and monitor for suspicious upload activity. 4. Use Content Security Policy (CSP) headers to restrict script execution contexts and reduce the impact of potential XSS payloads. 5. Regularly audit and monitor uploaded media files for suspicious SVG content. 6. Keep the AMP for WP plugin updated and apply security patches promptly once released. 7. Educate content authors about the risks of uploading untrusted SVG files and encourage use of safer image formats. 8. Consider implementing Web Application Firewalls (WAF) with rules targeting SVG-based XSS attempts. 9. Review and harden WordPress security configurations to minimize privilege escalation risks. 10. Conduct penetration testing focusing on SVG upload vectors to validate mitigation effectiveness.