CVE-2026-9067
Received
Published: 10 Jun 2026, 06:00
Last modified:10 Jun 2026, 10:44
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.1 CRITICAL
v3.1 (cve.org)
EPSS Score
0.06% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
10 Jun 2026, 06:00
Published
Vulnerability first disclosed
10 Jun 2026, 10:44
Last Modified
Vulnerability information updated
Description
The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Trends
Current EPSS score: 0.06%• Percentile: 18%
Techniques & Countermeasures
- CWE-434•Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Affected Systems
- unknown•schema & structured data for wp & amp
< 1.60