External risk intelligence

Schema & Structured Data for WP & AMP WordPress Unauthenticated Arbitrary File Upload

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-9067

A WordPress plugin that handles file uploads has a vulnerability allowing unauthenticated users to upload any file type, bypassing intended restrictions. This could lead to unauthorized code execution on the site. The plugin's relevance and exposure should be confirmed.

4Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-9067

This vulnerability affects a WordPress plugin that handles file uploads on the frontend. WordPress sites are commonly deployed as public-facing web applications, and AJAX handlers for file uploads are frequently exposed to the public internet to facilitate user interaction.

PCI scan relevance

PCI Relevance for CVE-2026-9067

Yes

CVE-2026-9067 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated users to upload arbitrary files via AJAX handlers, potentially leading to code execution and impacting system integrity. Its ability to compromise system integrity makes it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects a WordPress plugin that handles file uploads, potentially allowing unauthenticated users to upload any file type. The primary concern is to confirm if this plugin is in use and, if so, assess its exposure.

Unauthenticated users can upload any file type.
Confirms plugin relevance and exposure to leadership.
Assess plugin use and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could upload arbitrary files to a WordPress site by leveraging a vulnerable plugin that lacks proper checks on user permissions and file types. This allows unauthenticated users to bypass intended restrictions, potentially leading to the execution of malicious code or other harmful actions on the site.

No authentication required for access.
Upload arbitrary files via frontend AJAX endpoints.
High risk of unauthorized code execution.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated users could upload arbitrary files through the plugin's frontend AJAX handlers, bypassing intended restrictions on file types like images or videos. This could occur when the plugin's file upload functionality is exposed to the public internet.

Website content and user-uploaded files.
Uploading any file type via frontend.
Potential for unauthorized content injection.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the Schema & Structured Data for WP & AMP WordPress plugin, likely affecting website owners and their infrastructure or platform teams. The first practical step is to identify all WordPress instances using this plugin, determine their exposure and criticality, and then assign ownership for remediation.

Plugin owners should manage this issue.
Verify plugin reachability and criticality.
Plan coordinated remediation efforts.

Frequently asked questions

What is the Schema & Structured Data for WP & AMP plugin?

This is a WordPress extension designed to help site administrators automatically add structured data markup to their pages, improving how content appears in search engine results. It includes specific features for handling media assets and frontend interactions, which is where this file-handling component resides.

What does CWE-434 mean regarding CVE-2026-9067?

CWE-434 refers to an Unrestricted Upload of a File with a Dangerous Type. In the context of this CVE, it means the plugin fails to verify who is uploading a file or check the actual file extension. Because the software does not restrict these uploads to safe formats like standard images, it allows attackers to bypass security boundaries and place unauthorized files onto the web server.

How does an attacker trigger this vulnerability?

The bug is triggered by sending a request to specific frontend AJAX endpoints provided by the plugin. An attacker does not need to log in or have administrative rights to reach these handlers. Importantly, the vulnerability does not require complex manipulation; the flaw exists because the plugin fails to perform basic checks, meaning any file type allowed by the underlying WordPress media settings can be uploaded regardless of the intended use.

Is my site at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a higher-risk concern because the plugin's file upload handlers are typically accessible via the public internet to enable frontend user interactions. Because WordPress sites are almost always internet-facing, this exposure increases the likelihood that an attacker could locate and interact with the vulnerable AJAX endpoints directly.

What is the first step to address CVE-2026-9067?

Start by auditing your WordPress environment to confirm whether the Schema & Structured Data for WP & AMP plugin is installed and active. Once identified, document which instances are internet-facing to prioritize them, and verify the current plugin version against the vendor's guidance to prepare for a necessary update.

References

wpscan.com/vulnerability/7fac98eb-f82c-4705-a956-aba650945826/

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.