What the vulnerability does
01Description
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
Explanation of Vulnerability in Simple Terms
02Summary
AMP for WP versions up to 1.1.10 contain a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts. The vulnerability affects the plugin's handling of user input, enabling attackers with low-level access to modify page content for other users. The impact extends beyond the vulnerable component due to scope change.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute in other users' browsers and modify site content.
Potential impact on your site
04Site Impact
Authenticated attackers can deface pages, steal session tokens, or redirect visitors to malicious sites.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account (e.g., subscriber or contributor role) on the WordPress site.
Key dates
06Disclosure timeline
January 9, 2026
CVE published
April 8, 2026
Record updated
