CVE-2026-9067

Vulnerability

The Schema & Structured Data for WP & AMP WordPress plugin versions before 1.60 fail to properly check user capabilities on frontend AJAX file-upload handlers. Additionally, the plugin does not validate the actual content of uploaded files against the endpoint's intended media type. This allows unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that are intended to only accept images or videos [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the plugin's AJAX file-upload handlers. The attacker does not need any special privileges or user interaction. The vulnerability lies in the lack of capability checks and improper file content validation, allowing any file type to be uploaded as long as WordPress's media library accepts it [1].

Impact

Successful exploitation allows an unauthenticated attacker to upload arbitrary files to the WordPress site. This could lead to various malicious outcomes, including but not limited to, uploading web shells for remote code execution, or other malicious files that could compromise the integrity and availability of the website [1].

Mitigation

The vulnerability is fixed in version 1.60 of the Schema & Structured Data for WP & AMP plugin. Users are strongly advised to update to version 1.60 or later as soon as possible. No workarounds are available, and there is no information regarding an End-of-Life status or if the vulnerability has been added to the KEV catalog [1].