Schema & Structured Data for WP & AMP

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos.

AI Analysis

Unauthenticated arbitrary media upload vulnerability in Schema & Structured Data for WP & AMP WordPress plugin before 1.60

Basic Information

ID CVE-2026-9067

Source WPScan

Published Jun 10, 2026 at 06:00

Modified Jun 10, 2026 at 10:44

Affected Product

Vendor Unknown

Product Schema & Structured Data for WP & AMP

Affected Versions Unknown Schema & Structured Data for WP & AMP 0

CWE Classification

CWE-434

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor WordPress

Product Schema & Structured Data for WP & AMP

Version < 1.60

References

wpscan.com /vulnerability/7fac98eb-f82c-4705-a956-aba650945826/

{
    "lastseen": "",
    "description": "The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos.",
    "published": "2026-06-10T06:00:12.194Z",
    "modified": "2026-06-10T10:44:28.578Z",
    "type": "cve",
    "title": "Schema & Structured Data for WP & AMP < 1.60 - Unauthenticated Arbitrary Media Upload",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/7fac98eb-f82c-4705-a956-aba650945826/",
    "id": "CVE-2026-9067",
    "bulletinFamily": "",
    "cwe": [
        "",
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "Unknown Schema & Structured Data for WP & AMP 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Schema & Structured Data for WP & AMP",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "Unauthenticated arbitrary media upload vulnerability in Schema & Structured Data for WP & AMP WordPress plugin before 1.60",
    "ai_severity": "Critical",
    "ai_vendor": "WordPress",
    "ai_product": "Schema & Structured Data for WP & AMP",
    "ai_version": "< 1.60",
    "ai_score": 9.1
}

Schema & Structured Data for WP & AMP < 1.60 - Unauthenticated Arbitrary Media Upload_CVE-2026-9067