Unauthenticated Arbitrary File Upload in Schema & Structured Data for WP & AMP WordPress Plugin
CVE-2026-9067 affects the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60. The plugin's frontend AJAX file-upload handlers do not enforce user capability checks and do not validate the actual uploaded file content against the endpoint's intended media type. As a result, endpoints that are intended to accept only images or videos can be abused by unauthenticated remote attackers to upload any file type that is otherwise accepted by the WordPress media library.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small standalone exploit/PoC set for CVE-2026-9067 affecting the WordPress plugin Schema & Structured Data for WP & AMP before version 1.60. It contains 6 files total: two executable exploit scripts (Python and Bash), two Markdown documentation files, a license, and a .gitignore. The main operational files are CVE-2026-9067.py and CVE-2026-9067.sh. The exploit’s purpose is to validate and abuse unauthenticated arbitrary media/file upload functionality exposed through WordPress AJAX handlers tied to the plugin’s review-form feature. The workflow implemented by both scripts is: verify target reachability, attempt to fingerprint the plugin version from a public readme path, search multiple frontend pages for the saswp review-form nonce, then submit a multipart POST request to /wp-admin/admin-ajax.php using either action=saswp_rf_form_image_upload or action=saswp_rf_form_video_upload. The uploaded file is disguised with an allowed media MIME type while retaining attacker-controlled content and filename. Capabilities present in the code include single-target and multi-target scanning, basic concurrency/threading, nonce extraction via regex from several common WordPress pages, plugin version probing, upload testing against both vulnerable AJAX actions, result logging, and output-file generation. The Bash script additionally creates temporary files under /tmp for upload testing and parallelizes scans by splitting URL lists into chunks. The Python script appears more feature-rich, with colored logging, multiple nonce regex patterns, fallback probing of /wp-json/, and support for custom shell/file input, though the provided content is partially truncated. Despite some README language referring to shells/RCE, the repository documentation itself acknowledges the practical limitation that standard WordPress core blocks executable file types such as .php in normal uploads, so the realistic exploit outcome is arbitrary public file hosting rather than direct code execution. Accordingly, this is best characterized as an operational arbitrary file upload validator/exploit rather than a weaponized RCE framework.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.