CVE Catalog

CVE-2026-9067

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.06%

18th percentile — higher than 18% of all known CVEs

Summary

The Schema & Structured Data for WP & AMP WordPress plugin before version 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library.

Risk Assessment

The organization may be exposed to attacks where unauthenticated users upload malicious files, potentially leading to system compromise or data leakage.

Recommendation

It is recommended to update the plugin to the latest version and implement additional mechanisms for verifying permissions and file types on the server.

Original NVD description (English source)

The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS