CVE-2026-9067— Schema & Structured Data for WP & AMP < 1.60 - Unauthenticated Arbitrary Media Upload

AI Predicted 9.8 Difficulty: Easy Updated Jun 13, 2026

In-the-Wild Activity Observed github_trending · low

Possible ATT&CK Techniques 1AI

T1505.003 · Web Shell

Updated Jun 13, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Schema & Structured Data for WP & AMP < 1.60 - Unauthenticated Arbitrary Media Upload

Source: NVD (National Vulnerability Database)

Vulnerability Description

The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Unknown	Schema & Structured Data for WP & AMP	0 ~ 1.60	-

II. Public POCs for CVE-2026-9067

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-9067

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-9067 (1)

🔗 Schema & Structured Data for WP & AMP < 1.60 – Unauthenticated Arbitrary Media Upload | CVE 2026-9067 | Plugin Vulnerabilities Read full article exploitvdb-entrytechnical-description

https://nvd.nist.gov/vuln/detail/CVE-2026-9067

Same Patch Batch · Unknown · 2026-06-10 · 4 CVEs total

CVE-2026-9060		Agile Store Locator < 1.6.6 - Admin+ Stored XSS via map_style
CVE-2026-8071		Spam protection, Honeypot, Anti-Spam by CleanTalk < 6.79 - Unauthenticated Stored XSS via
CVE-2026-3326		XStore < 9.7.3 - Unauthenticated SQLi

IV. Related Vulnerabilities

Same product: Schema & Structured Data for WP & AMP

Same vendor: Unknown

V. Comments for CVE-2026-9067

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-9067— Schema & Structured Data for WP & AMP < 1.60 - Unauthenticated Arbitrary Media Upload

Possible ATT&CK Techniques 1AI

I. Basic Information for CVE-2026-9067

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-9067

III. Intelligence Information for CVE-2026-9067

Vendor Advisories for CVE-2026-9067 (1)

Same Patch Batch · Unknown · 2026-06-10 · 4 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-9067

Leave a comment