How is CVE-2026-9067 exploited?

Network reachability (required): The vulnerable AJAX endpoints are exposed over the network, so the attacker must be able to reach the WordPress site via HTTP or HTTPS. Authentication (not-required): No account or session token is needed; the plugin performs no capability check before accepting uploads. Victim interaction (not-required): The attacker contacts the upload endpoints directly and no user action on the target site is required to trigger the vulnerability. Attack complexity (info): Exploitation is straightforward and condition-free: a standard HTTP multipart upload request to the exposed endpoint is sufficient with no race conditions or environmental factors to manage.

What is the impact of CVE-2026-9067?

An attacker can write arbitrary files accepted by the WordPress media library to the server's file system, which can be used as a stepping stone to remote code execution if a PHP-executable path is reachable. Confidential files accessible to the web server process, including configuration files and stored credentials, can be read by leveraging uploaded scripts or probing accessible paths. Site content and stored media can be replaced or corrupted, defacing the site or poisoning structured-data feeds consumed by downstream services. The presence of attacker-controlled files in the media library persists across restarts, giving the attacker a durable foothold even if the initial upload vector is later closed.

Back to search

CRITICALCVE-2026-9067Published 2026-06-10Modified 2026-06-10CNA WPScan

CVE-2026-9067: Schema & Structured Data for WP & AMP < 1.60 - Unauthenticated Arbitrary Media Upload

Q: What is CVE-2026-9067?

An unauthenticated arbitrary file upload vulnerability affects the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60. The plugin exposes frontend AJAX file-upload handlers that skip both capability checks and file-content validation, meaning any unauthenticated remote user can upload arbitrary file types to the WordPress media library. Successful exploitation gives an attacker the ability to plant files on the server and read or tamper with sensitive site data. A patched-image rebuild at version 1.60 is available on HarborGuard for affected environments.

Q: How is CVE-2026-9067 fixed?

A patched-image rebuild pinned to Schema & Structured Data for WP & AMP version 1.60 becomes available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 1.60
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated arbitrary file upload vulnerability affects the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60. The plugin exposes frontend AJAX file-upload handlers that skip both capability checks and file-content validation, meaning any unauthenticated remote user can upload arbitrary file types to the WordPress media library. Successful exploitation gives an attacker the ability to plant files on the server and read or tamper with sensitive site data. A patched-image rebuild at version 1.60 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-9067 is ingested from upstream advisory feeds within minutes of publication and matched against all scanned container images, including custom-built WordPress images that bundle this plugin. Coverage extends to images in both customer registries and active CI/CD pipelines.

Available

Triage

HarborGuard scores this vulnerability at CVSS 9.1 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Triage tickets are directed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Schema & Structured Data for WP & AMP version 1.60 becomes available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable AJAX endpoints are exposed over the network, so the attacker must be able to reach the WordPress site via HTTP or HTTPS.
AuthenticationNot required
No account or session token is needed; the plugin performs no capability check before accepting uploads.
Victim interactionNot required
The attacker contacts the upload endpoints directly and no user action on the target site is required to trigger the vulnerability.
Attack complexityDetail
Exploitation is straightforward and condition-free: a standard HTTP multipart upload request to the exposed endpoint is sufficient with no race conditions or environmental factors to manage.

Blast Radius

An attacker can write arbitrary files accepted by the WordPress media library to the server's file system, which can be used as a stepping stone to remote code execution if a PHP-executable path is reachable.
Confidential files accessible to the web server process, including configuration files and stored credentials, can be read by leveraging uploaded scripts or probing accessible paths.
Site content and stored media can be replaced or corrupted, defacing the site or poisoning structured-data feeds consumed by downstream services.
The presence of attacker-controlled files in the media library persists across restarts, giving the attacker a durable foothold even if the initial upload vector is later closed.

How HarborGuard Handles This

Available on HarborGuard: container images that include the Schema & Structured Data for WP & AMP plugin at any version below 1.60 are flagged as Critical the moment the CVE is matched during a scan cycle. For customers who opt into auto-remediation, HarborGuard rebuilds the image at plugin version 1.60, executes a regression test run, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and a pre-populated remediation ticket are queued and waiting for sign-off. While awaiting an upgrade, network-policy controls that restrict unauthenticated external access to WordPress AJAX endpoints (specifically wp-admin/admin-ajax.php) can limit exposure, and web application firewall rules that block multipart file uploads from unauthenticated sessions provide an additional compensating control.

See how HarborGuard automates this

Fix available

1.60

Affected packages

Unknown / Schema & Structured Data for WP & AMP
< 1.60 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

wpscan.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available