cleantalk
Vulnerabilities and Security Researches

AMP for WP – Accelerated Mobile Pages, CVE-2026-0627

CVE, Research URL

CVE-2026-0627

Home page URL

Security reports for AMP for WP – Accelerated Mobile Pages

Application

AMP for WP – Accelerated Mobile Pages

Published on
Jan 09, 2026
Research Description
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
Affected versions
max 1.1.11.
Status
vulnerable
Previous vulnerability researches
XO Event Calendar (CVE-2026-0556) , Apr 16, 2026
XO Event Calendar (92562c6c-94a4-427d-97dc-7f5ffddcb6d8) , Jun 07, 2024
New vulnerability
CP Image Store with Slideshow (CVE-2026-0684) , Apr 16, 2026
Payment Page | Best Payment Plugin for Stripe &amp; PayPal (CVE-2026-0751) , Apr 16, 2026
SIBS woocommerce payment gateway (CVE-2026-1370) , Apr 16, 2026
Docus &#8211; YouTube Video Playlist (CVE-2026-1888) , Apr 16, 2026
Change WP URL (CVE-2026-1398) , Apr 16, 2026