Stored Cross-Site Scripting Vulnerability in AMP for WP Plugin by WordPress
CVE-2026-0627

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Amp For WP – Accelerated Mobile Pages
Vendor: CVE Published:; 9 January 2026

What is CVE-2026-0627?

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via insecure SVG file uploads. This vulnerability arises from the inadequate sanitization of SVG file content, which fails to fully filter out harmful elements, permitting authenticated users with Author-level access and higher to embed malicious scripts. These scripts can execute when a user accesses the uploaded SVG file, thereby exposing them to potential security threats.

Affected Version(s)

AMP for WP – Accelerated Mobile Pages 0 <= 1.1.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/accelerated-mo...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 9, 2026
Vulnerability Reserved
Jan 5, 2026

Credit

andrea bocchetti

CVE-2026-0627 Data

JSON