CVE-2026-0627 is a stored cross-site scripting vulnerability identified in the AMP for WP – Accelerated Mobile Pages plugin for WordPress, affecting all versions up to and including 1.1.10. The vulnerability stems from insufficient sanitization of SVG file uploads. While the plugin removes <script> tags from SVG content, it fails to neutralize other XSS attack vectors embedded within SVG files, such as event handler attributes (e.g., onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This incomplete sanitization allows an authenticated attacker with Author-level or higher privileges to upload a crafted SVG file containing malicious JavaScript code. When other users view the uploaded SVG file, the malicious script executes in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The attack requires no user interaction beyond viewing the SVG file and can be exploited remotely over the network. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with the vector string AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. This means the attack is network-based, has low complexity, requires privileges (Author or higher), no user interaction, and impacts confidentiality and integrity with a scope change. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to sites using this plugin, especially multi-author blogs or sites with frequent content uploads. The lack of a patch link suggests that users must apply manual mitigations or await an official update.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted WordPress environments, compromising user sessions and potentially allowing attackers to perform actions on behalf of legitimate users. This can result in data leakage, defacement, or further compromise of the website and its users. Organizations relying on the AMP for WP plugin for SEO and mobile performance may face reputational damage and loss of user trust if exploited. The requirement for Author-level access limits the attack surface but does not eliminate risk, especially in collaborative environments where multiple users have elevated privileges. The vulnerability's impact on confidentiality and integrity is moderate, with no direct availability impact. Given the widespread use of WordPress and AMP plugins in Europe, especially in sectors like media, e-commerce, and public services, the threat is significant. Attackers could leverage this vulnerability to target European users or organizations by injecting malicious scripts that harvest credentials or deliver further payloads.

European organizations should immediately audit user roles and restrict SVG file upload permissions to only trusted administrators where possible. Implement stricter SVG sanitization tools that remove or neutralize all potentially dangerous elements and attributes beyond just <script> tags, such as event handlers and foreignObject elements. Consider disabling SVG uploads entirely if not essential. Monitor and review uploaded SVG files for suspicious content. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of XSS attacks. Keep WordPress core, themes, and plugins up to date, and watch for official patches from the AMP for WP plugin vendor. Educate content authors about the risks of uploading untrusted files. Use web application firewalls (WAFs) with rules targeting SVG-based XSS payloads. Finally, implement regular security scans and penetration tests focusing on file upload functionalities.