Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable admin function (AV:N) but needs Author+ account with an admin-granted capability (PR:L) plus crafted ZIP and PHP-executing uploads (AC:H), yielding full RCE impact (C/I/A:H).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The AMP for WP - Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories and files. This makes it possible for authenticated attackers, with Author-level access and above, and permissions granted by an Administrator, to write arbitrary files to the server in a web-accessible location, potentially leading to remote code execution on hosts that execute PHP files in the uploads directory.
AnalysisAI
Arbitrary file write in the AMP for WP - Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12) lets authenticated Author-level users, granted permission by an Administrator, upload and unsafely extract a crafted ZIP through the ampforwp_save_local_font() function, planting attacker-controlled files in a web-accessible uploads path. On hosts configured to execute PHP from the uploads directory, this escalates to remote code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account at Author level or above (PR:L) that has additionally been granted the plugin's local-font/options permission by an Administrator - both conditions are explicitly stated in the description and are hard prerequisites. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (base 7.5, High) is internally consistent with the description: network-reachable admin interface (AV:N), authenticated Author-level access plus an Administrator-granted permission (PR:L), high attack complexity because exploitation depends on both the malicious ZIP structure and the server actually executing PHP from uploads (AC:H), and full confidentiality/integrity/availability impact once code runs (C:H/I:H/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls (or has compromised) an Author-level WordPress account that an Administrator has granted local-font permissions crafts a ZIP archive containing a PHP webshell with nested path entries. Uploading it through the AMP for WP local-font feature triggers ampforwp_save_local_font(), which extracts the shell into a web-accessible uploads location; the attacker then requests that PHP file to execute arbitrary code. … |
| Remediation | Upgrade AMP for WP to the fixed release published in the plugin repository; an upstream fix is available via WordPress.org changeset 3512870 (https://plugins.trac.wordpress.org/changeset/3512870/), so update to the first tagged version above 1.1.12 that includes this changeset - the released patched version number is not independently confirmed from the input, so verify the target version against the plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify WordPress installations running AMP for WP (versions ≤1.1.12) and determine whether PHP execution is enabled in the uploads directory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42041
GHSA-gw54-4vv6-gpqx