Skip to main content

Amp For Wp Accelerated Mobile Pages

1 CVEs product

Monthly

CVE-2026-6101 HIGH This Week

Arbitrary file write in the AMP for WP - Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12) lets authenticated Author-level users, granted permission by an Administrator, upload and unsafely extract a crafted ZIP through the ampforwp_save_local_font() function, planting attacker-controlled files in a web-accessible uploads path. On hosts configured to execute PHP from the uploads directory, this escalates to remote code execution. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; an upstream fix is present in the plugin repository (changeset 3512870).

WordPress RCE PHP Amp For Wp Accelerated Mobile Pages
NVD
CVSS 3.1
7.5
EPSS
0.6%
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file write in the AMP for WP - Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12) lets authenticated Author-level users, granted permission by an Administrator, upload and unsafely extract a crafted ZIP through the ampforwp_save_local_font() function, planting attacker-controlled files in a web-accessible uploads path. On hosts configured to execute PHP from the uploads directory, this escalates to remote code execution. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; an upstream fix is present in the plugin repository (changeset 3512870).

WordPress RCE PHP +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy