Executive Summary

The vulnerability CVE-2026-9067 affects the WordPress plugin "Schema & Structured Data for WP & AMP" versions prior to 1.60. It occurs because the plugin does not check user capabilities on its frontend AJAX file-upload handlers and fails to validate the actual content of uploaded files against the intended media type.

This allows unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos. The plugin only checks the client-supplied Content-Type header, which can be spoofed, so attackers can upload non-image files such as CSV, PDF, or ZIP.

Uploaded files are saved in the WordPress uploads directory and remain publicly accessible. However, executable files like PHP or HTML are blocked by WordPress core, preventing remote code execution or stored cross-site scripting.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated attackers to upload arbitrary files to your WordPress server, potentially leading to disk space consumption and hosting of attacker-controlled content.

Although executable files are blocked, the presence of arbitrary files could be used for malicious purposes such as hosting phishing pages or distributing malicious content.

The uploaded files remain publicly accessible, which could expose your site to reputational damage or misuse.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized file uploads to the WordPress uploads directory via the plugin's frontend AJAX file-upload handlers.

Since the plugin allows unauthenticated users to upload arbitrary files by exploiting improper validation, you can look for unusual file types (such as CSV, PDF, or ZIP) in the uploads directory that should normally only contain images or videos.

Commands to help detect this include scanning the uploads directory for unexpected file types and checking web server logs for POST requests to the plugin's AJAX endpoints.

• Find files with uncommon extensions in the uploads directory: `find wp-content/uploads/ -type f \! -name '*.jpg' \! -name '*.jpeg' \! -name '*.png' \! -name '*.gif' \! -name '*.mp4' \! -name '*.mov'`
• Search web server logs for POST requests to the plugin's AJAX upload endpoints: `grep 'POST' /var/log/apache2/access.log | grep 'admin-ajax.php'` (adjust path and filename as needed)
• Use WP-CLI to check for suspicious nonces or uploads if applicable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to update the Schema & Structured Data for WP & AMP WordPress plugin to version 1.60 or later, where this vulnerability is fixed.

Until the update can be applied, consider restricting access to the plugin's frontend AJAX file-upload handlers to authenticated users only, if possible.

Additionally, monitor and remove any unauthorized files uploaded to the WordPress uploads directory to prevent disk consumption and hosting of attacker-controlled content.

Ensure that your WordPress core is up to date, as it blocks executable files like PHP or HTML from being uploaded, preventing remote code execution.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated users to upload arbitrary files to the server, which can lead to hosting attacker-controlled content and potential disk consumption.

Although executable files are blocked and remote code execution or stored cross-site scripting is prevented, the presence of unauthorized files could still pose risks related to data integrity and security.

This could impact compliance with standards and regulations such as GDPR or HIPAA, which require strict controls over data security and unauthorized access, by potentially exposing the system to unauthorized data uploads and storage.

Useful 0 Not Useful 0