Skip to main content

Schema & Structured Data WordPress Plugin EUVD-2026-35988

| CVE-2026-9067 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-10 WPScan GHSA-cwcg-79p4-f24h
File Upload WordPress
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 11:23 vuln.today
CVSS changed
Jun 10, 2026 - 11:22 NVD
9.1 (CRITICAL)
Patch available
Jun 10, 2026 - 08:01 EUVD
CVE Published
Jun 10, 2026 - 06:00 nvd
CRITICAL 9.1
CVE Published
Jun 10, 2026 - 06:00 nvd
UNKNOWN (no severity yet)

DescriptionNVD

The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos.

Articles & Coverage 2

News 5 New WordPress Vulnerabilities - 2 Critical, 3 With POC Jun 11, 2026 News Critical Arbitrary File Upload in WordPress Schema & Structured Data Plugin - CVE-2026-9067 Jun 10, 2026

AnalysisAI

Unauthenticated arbitrary file upload in the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60 allows remote attackers to upload any file type accepted by WordPress's media library through frontend AJAX handlers intended for images and videos only. The plugin fails to perform user capability checks and does not validate uploaded file content against the endpoint's declared media type. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan WordPress sites for vulnerable plugin
Delivery
Send crafted multipart POST to AJAX upload endpoint
Exploit
Bypass missing capability and content-type checks
Execution
Drop dangerous file into wp-content/uploads
Persist
Retrieve uploaded file via public URL
Impact
Execute payload or stage further attack
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable plugin (Schema & Structured Data for WP & AMP, version < 1.60) must be installed and activated on a network-reachable WordPress site, and the affected frontend AJAX file-upload handlers must be exposed via wp-admin/admin-ajax.php (the default WordPress behavior, which permits unauthenticated invocation of registered wp_ajax_nopriv_* actions). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 9.1 score (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) aligns with real-world risk: network-reachable, low-complexity, no privileges, and no user interaction required, yielding high confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scans WordPress sites for the vulnerable plugin and sends a crafted multipart POST request to the frontend AJAX upload endpoint, supplying a file with an extension permitted by WordPress's media library (e.g., a polyglot or otherwise dangerous file masquerading as accepted content) while the endpoint expects only an image or video. Because there is no capability check and no content-type validation, the file lands in wp-content/uploads, where it can be retrieved by URL for malware staging, phishing kit hosting, or - if the server permits execution in the uploads path - code execution. …
Remediation Vendor-released patch: upgrade the Schema & Structured Data for WP & AMP plugin to version 1.60 or later, which addresses both the missing capability check and the content-type validation gap per the WPScan advisory (https://wpscan.com/vulnerability/7fac98eb-f82c-4705-a956-aba650945826/). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations to identify those running Schema & Structured Data for WP & AMP plugin and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL POC
9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL
10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

Share

EUVD-2026-35988 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy