CVE-2026-0627 is a stored cross-site scripting vulnerability classified under CWE-79, found in the AMP for WP – Accelerated Mobile Pages plugin for WordPress, maintained by mohammed_kaludi. The vulnerability exists in all versions up to and including 1.1.10. It stems from improper sanitization of SVG file uploads, where the plugin only removes <script> tags but fails to neutralize other XSS attack vectors embedded within SVG content, such as event handler attributes (e.g., onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This allows an authenticated attacker with Author-level or higher privileges to upload a crafted SVG file containing malicious JavaScript. When other users view the uploaded SVG file, the malicious script executes in their browsers, potentially leading to session hijacking, data theft, or unauthorized actions within the context of the affected site. The vulnerability requires no user interaction beyond viewing the SVG file and has a CVSS 3.1 base score of 6.4, indicating medium severity. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the attacker’s privileges. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks of insufficient input sanitization in web applications handling complex file formats like SVG, which can embed executable code in multiple ways beyond simple script tags.

This vulnerability can lead to unauthorized script execution in the context of affected websites, compromising user confidentiality and data integrity. Attackers with Author-level access can leverage this to escalate privileges indirectly by targeting site administrators or other users with higher privileges who view the malicious SVG files. Potential impacts include session hijacking, theft of sensitive information, defacement, or unauthorized actions performed on behalf of legitimate users. Since the vulnerability is stored and triggers upon viewing, it can persistently affect multiple users. The availability of the site is not directly impacted. Organizations running WordPress sites with the AMP for WP plugin are at risk, especially those allowing multiple authors or contributors to upload media. The medium CVSS score reflects the moderate ease of exploitation (authenticated user required) and the significant impact on confidentiality and integrity. The lack of user interaction requirement beyond viewing increases the risk of widespread exploitation once malicious SVGs are uploaded.

Immediate mitigation involves restricting SVG file uploads to trusted users only or disabling SVG uploads entirely until a patch is available. Implement additional server-side sanitization of SVG files using robust libraries that neutralize all executable content, including event handlers and foreignObject elements, not just <script> tags. Employ Content Security Policy (CSP) headers to restrict script execution origins and reduce the impact of XSS attacks. Regularly audit user privileges to minimize the number of users with Author-level or higher access. Monitor uploaded media files for suspicious content and remove any untrusted SVG files. Update the AMP for WP plugin promptly once the vendor releases a security patch addressing this vulnerability. Additionally, educate site administrators and users about the risks of uploading complex file types and encourage the use of safer image formats where possible.