CVE-2025-9512

The Schema & Structured Data for WP & AMP WordPress plugin, prior to version 1.50, fails to properly sanitize HTML tag attribute modifications when processing post comments. This vulnerability allows unauthenticated attackers to inject arbitrary JavaScript code that is stored on the server and executed in the browsers of users viewing the affected comments [1].

The attack requires no authentication, as comment submission is typically open to any visitor. The attacker can craft a comment containing malicious HTML attributes, which the plugin does not adequately filter or escape. When the comment is rendered on the page, the injected script executes in the context of the victim's session [1].

Successful exploitation leads to stored cross-site scripting (XSS). An attacker can steal cookies, session tokens, or other sensitive information, perform actions on behalf of the victim, or deface the site. The impact is limited by the browser's same-origin policy but can affect all users who view the compromised comment [1].

The vulnerability is fixed in version 1.50 of the plugin. Users are strongly advised to update immediately. No workaround is provided by the vendor, but disabling comments or using a web application firewall may reduce risk [1].