[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKEcu57NKybVuzSlgIIafBvBPlRHh8tIBqAz8gdIeiiU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-0627","amp-for-wp-authenticated-contributor-stored-cross-site-scripting-via-svg-file-upload","AMP for WP \u003C= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload","The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `\u003Cscript>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.","accelerated-mobile-pages",null,"\u003C=1.1.10","1.1.11","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-08 19:34:15","2026-01-09 08:20:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4ed23318-3b47-4336-a3aa-6b09f3911926?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-0627\n\n## 1. Vulnerability Summary\nThe **AMP for WP – Accelerated Mobile Pages** plugin (\u003C= 1.1.10) is vulnerable to **Stored Cross-Site Scripting (XSS)** via SVG file uploads. The vulnerability exists because the plugin's SVG sanitization logic is incomplete. It specifically targets and removes `\u003Cscript>` tags but fails to neutralize other valid SVG-based XSS vectors, such as:\n- XML event handlers (`onload`, `onerror`, `onmouseover`)\n- `foreignObject` elements\n- SVG animation attributes (`begin`, `onbegin`)\n\nThis allows an authenticated attacker with at least **Contributor-level** permissions to upload a malicious SVG file. When a site administrator or any other user views the uploaded file (either directly or via the WordPress media library\u002FAMP settings), the embedded JavaScript executes in their session context.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: The plugin likely provides a custom AJAX handler for uploading assets (like logos or icons) or hooks into the standard WordPress media upload process while applying its own flawed sanitization.\n- **Action\u002FHook**: `wp_ajax_ampforwp_logo_upload` or a similar custom handler (inferred). Alternatively, it may filter `wp_handle_upload` specifically for SVG types.\n- **HTTP Parameter**: The file is typically sent via a `multipart\u002Fform-data` POST request with the file data in a parameter like `async-upload` or `file`.\n- **Authentication Level**: Contributor+. While Contributors usually cannot upload files to the Media Library, this plugin may grant this capability for specific AMP-related assets or use a custom AJAX handler that only checks for `edit_posts` capability rather than `upload_files`.\n- **Preconditions**: The plugin must be active, and SVG uploads must be enabled (either by the plugin itself or by a secondary \"SVG Support\" plugin if the plugin relies on the core library).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point**: An authenticated user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with an `action` related to AMP logo\u002Ficon uploads (e.g., `ampforwp_ajax_save_settings` or a dedicated upload action).\n2. **Capability Check**: The handler checks `current_user_can( 'edit_posts' )` instead of `manage_options` or `upload_files`.\n3. **Processing**: The plugin receives the SVG file. It calls a sanitization function, likely named something like `ampforwp_sanitize_svg_files` (inferred) or uses a regex like `preg_replace('\u002F\u003Cscript\\b[^>]*>(.*?)\u003C\\\u002Fscript>\u002Fis', \"\", $content)`.\n4. **Vulnerable Sink**: The sanitization only removes literal `\u003Cscript>` tags. It leaves attributes like `onload` untouched.\n5. **Storage**: The sanitized (but still malicious) SVG is saved to the `wp-content\u002Fuploads\u002F` directory via `wp_handle_upload()` or `file_put_contents()`.\n6. **Execution**: The attacker retrieves the URL of the uploaded SVG and tricks an admin into clicking it, or the SVG is rendered in the AMP settings dashboard.\n\n## 4. Nonce Acquisition Strategy\nTo exploit the AJAX upload handler, a valid nonce is required. Based on the plugin architecture, nonces are likely localized for the AMP settings page.\n\n1. **Shortcode\u002FPage**: The AMP settings are usually in the admin area, but if the vulnerability is accessible to Contributors, the nonce may be exposed in the \"Post Editor\" if the plugin adds an AMP-specific meta box.\n2. **Identification**: Look for `wp_localize_script` in the plugin source (likely in `admin\u002Fadmin-settings.php`).\n3. **Extraction**:\n   - Use `wp post create` to create a post as a Contributor.\n   - Use `browser_navigate` to go to the edit page for that post.\n   - Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.ampforwp_obj?.nonce\")` (inferred JS object name) or check `window.ajax_object?.ajax_nonce`.\n4. **Action String**: The nonce action is likely `'ampforwp_ajax_nonce'` or `'ampforwp_logo_upload_nonce'`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Craft Malicious SVG\nCreate a file named `xss.svg` with an event handler:\n```xml\n\u003C?xml version=\"1.0\" standalone=\"no\"?>\n\u003C!DOCTYPE svg PUBLIC \"-\u002F\u002FW3C\u002F\u002FDTD SVG 1.1\u002F\u002FEN\" \"http:\u002F\u002Fwww.w3.org\u002FGraphics\u002FSVG\u002F1.1\u002FDTD\u002Fsvg11.dtd\">\n\u003Csvg version=\"1.1\" baseProfile=\"full\" xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" onload=\"alert('XSS_SUCCESS_CVE_2026_0627')\">\n   \u003Crect width=\"300\" height=\"100\" style=\"fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)\" \u002F>\n   \u003Ctext x=\"10\" y=\"40\" font-family=\"Verdana\" font-size=\"24\" fill=\"white\">SVG XSS Test\u003C\u002Ftext>\n\u003C\u002Fsvg>\n```\n\n### Step 2: Authenticated Upload Request\nUsing the `http_request` tool, simulate the upload.\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: multipart\u002Fform-data`\n- **Body**:\n  - `action`: `ampforwp_ajax_upload_file` (inferred)\n  - `nonce`: `[EXTRACTED_NONCE]`\n  - `file`: `xss.svg` (binary\u002Ftext content)\n\n### Step 3: Triggering XSS\n1. Identify the location of the uploaded file from the AJAX response (e.g., `{\"success\":true,\"url\":\"...\u002Fuploads\u002Fxss.svg\"}`).\n2. Navigate to the returned URL using `browser_navigate`.\n3. Confirm the `alert` or presence of the `onload` attribute in the rendered source.\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Install and activate `accelerated-mobile-pages` version 1.1.10.\n2. **User Creation**:\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n3. **Settings Page**: Ensure the \"Logo\" upload feature is enabled in AMP settings.\n\n## 7. Expected Results\n- The AJAX response should return `success: true` and a URL for the uploaded file.\n- The SVG file, when fetched, must contain the `onload` attribute (proving it was not stripped).\n- When the URL is visited in a browser, the JavaScript in the `onload` attribute should execute.\n\n## 8. Verification Steps\n1. **File Content Check**:\n   ```bash\n   cat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fxss.svg\n   ```\n   Verify that `onload=\"alert(...)\"` is present in the file on the filesystem.\n2. **Database Check**: Check if the attachment was created:\n   ```bash\n   wp post list --post_type=attachment --name=xss\n   ```\n3. **Response Validation**: Ensure the HTTP response code is `200 OK` and the body contains the path to the SVG.\n\n## 9. Alternative Approaches\n- **Animation Vector**: If `onload` is stripped (unlikely based on description), try `\u003Canimate onbegin=\"alert(1)\" ...>`.\n- **ForeignObject Vector**: Use `\u003CforeignObject>\u003Chtml:div xmlns:html=\"http:\u002F\u002Fwww.w3.org\u002F1999\u002Fxhtml\">\u003Cscript>alert(1)\u003C\u002Fscript>\u003C\u002Fhtml:div>\u003C\u002FforeignObject>` (though the description says `\u003Cscript>` tags are removed, it might only remove them at the top level).\n- **Settings Injection**: Check if the plugin allows setting the \"Logo URL\" to a `data:image\u002Fsvg+xml;base64,...` string via a POST request to `options.php` or a settings AJAX handler, which would also result in Stored XSS if reflected in the AMP dashboard.","The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in versions up to, and including, 1.1.10. This is due to insufficient sanitization that only removes \u003Cscript> tags while allowing event handlers and other XSS-capable SVG elements. Authenticated attackers with Contributor-level access or higher can upload malicious SVG files that execute arbitrary scripts when viewed.","--- a\u002Fincludes\u002Fadmin\u002Fadmin-settings.php\n+++ b\u002Fincludes\u002Fadmin\u002Fadmin-settings.php\n@@ -254,7 +254,14 @@\n \tpublic function ampforwp_sanitize_svg_files( $file_content ) {\n-\t\t$file_content = preg_replace('\u002F\u003Cscript\\b[^>]*>(.*?)\u003C\\\u002Fscript>\u002Fis', \"\", $file_content);\n+\t\t\u002F\u002F Improved sanitization for SVG files to prevent XSS\n+\t\t$file_content = preg_replace('\u002F\u003Cscript\\b[^>]*>(.*?)\u003C\\\u002Fscript>\u002Fis', \"\", $file_content);\n+\t\t\u002F\u002F Remove event handlers like onload, onerror, etc.\n+\t\t$file_content = preg_replace('\u002F\\s+on[a-z]+\\s*=\\s*\"[^\"]*\"\u002Fis', \"\", $file_content);\n+\t\t$file_content = preg_replace('\u002F\\s+on[a-z]+\\s*=\\s*\\'[^\\']*\\'\u002Fis', \"\", $file_content);\n+\t\t\u002F\u002F Remove dangerous SVG-specific tags and animation attributes\n+\t\t$file_content = preg_replace('\u002F\u003C(animate|animateColor|animateMotion|animateTransform|set|foreignObject)\\b[^>]*>\u002Fis', \"\", $file_content);\n+\t\t$file_content = preg_replace('\u002F\\s+(begin|onbegin|onend|onrepeat)\\s*=\\s*\"[^\"]*\"\u002Fis', \"\", $file_content);\n \t\treturn $file_content;\n \t}","1. Authenticate to the WordPress site with at least Contributor-level privileges.\n2. Obtain a valid security nonce required for the plugin's AJAX settings or asset upload functionality (e.g., logo upload).\n3. Craft a malicious SVG file containing XSS vectors that bypass script tag removal, such as: \u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" onload=\"alert(origin)\">\u003C\u002Fsvg>.\n4. Send a multipart POST request to wp-admin\u002Fadmin-ajax.php using the appropriate action and the extracted nonce to upload the SVG.\n5. Retrieve the URL of the uploaded file from the server response. The payload triggers when an administrator views the file directly or via the AMP dashboard.","gemini-3-flash-preview","2026-05-05 13:14:11","2026-05-05 13:15:28",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","1.1.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccelerated-mobile-pages\u002Ftags\u002F1.1.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faccelerated-mobile-pages.1.1.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccelerated-mobile-pages\u002Ftags\u002F1.1.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faccelerated-mobile-pages.1.1.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccelerated-mobile-pages\u002Ftags"]