CVE-2024-1586 MEDIUM

CVE-2024-1586: Schema & Structured Data for WP & AMP <= 1.26 - Authenticated (Custom) Stored Cross-Site Scripting

Vendor Magazine3
Product Schema & Structured Data for WP & AMP
Weakness CWE-79 · XSS
Published February 20, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom schema in all versions up to, and including, 1.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default the required authentication level is admin, but administrators have the ability to assign role based access to users as low as subscriber.

Key dates

02Disclosure timeline

February 20, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-43712 Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS) CVE-2024-43712 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2024-51939 WordPress Stylish Internal Links plugin <= 1.9 - Cross Site Scripting (XSS) vulnerability CVE-2022-44582 WordPress Apptivo Business Site CRM Plugin <= 3.0.12 is vulnerable to Cross Site Scripting (XSS) CVE-2024-34443 WordPress Slider Revolution plugin < 6.7.11 - Cross Site Scripting (XSS) vulnerability