CVE-2026-9067 Overview
CVE-2026-9067 affects the Schema & Structured Data for WP & AMP WordPress plugin in versions prior to 1.60. The plugin exposes frontend AJAX file-upload handlers that fail to check user capabilities and do not validate uploaded file content against the endpoint's intended media type. Unauthenticated attackers can upload arbitrary file types accepted by the WordPress media library through endpoints meant only for images or videos. This unrestricted upload weakness is tracked as [CWE-434].
Critical Impact
Unauthenticated attackers can upload arbitrary files to vulnerable WordPress sites, enabling potential webshell delivery, content tampering, and full site compromise.
Affected Products
- Schema & Structured Data for WP & AMP WordPress plugin versions before 1.60
- WordPress installations with the vulnerable plugin activated
- Sites exposing the plugin's frontend AJAX endpoints to anonymous traffic
Discovery Timeline
- 2026-06-10 - CVE-2026-9067 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-9067
Vulnerability Analysis
The Schema & Structured Data for WP & AMP plugin registers frontend AJAX actions that handle file uploads. These handlers omit capability checks such as current_user_can() and do not verify nonce-bound user context. Anonymous requests reach the upload logic directly through admin-ajax.php.
The handler also fails to validate the true content of submitted files. It relies on client-supplied MIME hints or extension checks rather than inspecting actual file content. Any file type permitted by the WordPress media library can pass through endpoints that should only accept images or videos.
Attackers can place arbitrary content in wp-content/uploads/. Depending on server configuration and other installed plugins, this primitive can chain into remote code execution, persistent defacement, or staging of malicious payloads.
Root Cause
The root cause is missing authorization combined with improper file content validation [CWE-434]. The plugin treats frontend AJAX endpoints as public utilities and trusts client-provided file metadata. No server-side inspection enforces that uploads match the intended media class for the endpoint.
Attack Vector
Exploitation occurs over the network with no authentication and no user interaction. An attacker sends a crafted multipart/form-data POST request to the vulnerable AJAX action on the target site. The payload includes a file whose extension or declared MIME falls within WordPress's allowed media types while its contents serve the attacker's goal. The server stores the file in the uploads directory and returns its URL.
No verified public exploit code is referenced in the advisory. Technical details are available in the WPScan Vulnerability Analysis.
Detection Methods for CVE-2026-9067
Indicators of Compromise
- Unexpected files in wp-content/uploads/ with media extensions but non-media content such as PHP, HTML, or script payloads.
- POST requests to admin-ajax.php from unauthenticated sessions invoking the plugin's upload actions.
- New or modified files in upload directories without corresponding authenticated administrator activity in WordPress logs.
Detection Strategies
- Inspect web server access logs for anonymous POST traffic targeting wp-admin/admin-ajax.php with the plugin's upload action parameters.
- Scan the uploads directory for files whose magic bytes do not match their declared extensions using tools such as file or YARA rules.
- Correlate spikes in upload volume with absence of authenticated WordPress session cookies in the same request flow.
Monitoring Recommendations
- Enable verbose logging on admin-ajax.php and forward logs to a centralized SIEM for analysis.
- Alert on creation of executable file types within wp-content/uploads/ and on web server processes spawning shells from that directory.
- Track outbound connections originating from PHP-FPM or Apache workers handling uploaded content.
How to Mitigate CVE-2026-9067
Immediate Actions Required
- Update the Schema & Structured Data for WP & AMP plugin to version 1.60 or later on all WordPress sites.
- Audit the wp-content/uploads/ directory for unexpected files created since the plugin was installed and remove malicious content.
- Block direct execution of PHP and other script handlers within the uploads directory at the web server level.
Patch Information
The vendor addressed the issue in version 1.60 of the plugin by adding capability checks on the frontend AJAX upload handlers and validating uploaded file content against the endpoint's intended media type. Administrators should apply the update through the WordPress plugin manager or WP-CLI. See the WPScan Vulnerability Analysis for full advisory details.
Workarounds
- Deactivate the plugin until the patched version can be deployed if immediate upgrade is not possible.
- Restrict access to admin-ajax.php upload actions using a Web Application Firewall rule that blocks anonymous POST requests to the affected actions.
- Enforce server-level controls preventing script execution under wp-content/uploads/ via Apache .htaccess or Nginx location directives.
# Nginx configuration to prevent script execution in WordPress uploads
location ~* /wp-content/uploads/.*\.(php|phtml|phar|pl|py|jsp|asp|sh|cgi)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
