cleantalk
Vulnerabilities and Security Researches

AMP for WP – Accelerated Mobile Pages, CVE-2026-0627

CVE, Research URL

CVE-2026-0627

Home page URL

Security reports for AMP for WP – Accelerated Mobile Pages

Application

AMP for WP – Accelerated Mobile Pages

Published on
Jan 09, 2026
Research Description
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
Affected versions
max 1.1.11.
Status
vulnerable
Previous vulnerability researches
iRobots.txt SEO (CVE-2025-68840) , Apr 16, 2026
New vulnerability
Change WP URL (CVE-2026-1398) , Apr 16, 2026
Eli&#039;s WordCents adSense Widget with Analytics (CVE-2025-68872) , Apr 16, 2026
Activity Log WinterLock (CVE-2026-1671) , Apr 16, 2026
Prismatic (CVE-2026-3876) , Apr 16, 2026
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag &amp; Drop WP Form Builder (CVE-2026-4160) , Apr 16, 2026