CVE-2026-6101 in AMP for WP Plugin
Summary
by MITRE • 07/07/2026
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories and files. This makes it possible for authenticated attackers, with Author-level access and above, and permissions granted by an Administrator, to write arbitrary files to the server in a web-accessible location, potentially leading to remote code execution on hosts that execute PHP files in the uploads directory.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability in the AMP for WP plugin represents a critical security flaw that leverages improper file handling during ZIP archive extraction processes. This issue affects versions up to and including 1.1.12 and stems from the ampforwp_save_local_font() function which fails to properly validate or sanitize file paths during decompression operations. The flaw creates a path traversal condition where maliciously crafted ZIP archives can be used to write files outside of intended directories, potentially allowing unauthorized modifications to the WordPress installation.
The technical implementation of this vulnerability involves unsafe extraction practices that do not adequately verify file paths within ZIP archives before writing them to disk. When the plugin processes font files through the ampforwp_save_local_font() function, it performs ZIP extraction without proper sanitization of directory traversal sequences or absolute path references. This allows attackers to manipulate the extraction process by including specially crafted file paths within the ZIP archive that would normally be prevented by proper path validation mechanisms.
Authentication requirements for exploitation reveal this vulnerability as a privilege escalation issue that can be leveraged by users with Author-level permissions or higher. The attack vector requires an authenticated session where the attacker has sufficient privileges to upload or modify plugin settings, typically through administrative interfaces or file upload mechanisms within the WordPress dashboard. This makes the vulnerability particularly dangerous in environments where authors and contributors have elevated access rights to modify site content.
The operational impact of this vulnerability extends beyond simple file modification to potentially enable complete system compromise through remote code execution. When combined with PHP execution permissions in web-accessible directories such as WordPress uploads folders, attackers can upload malicious PHP files that will execute with the privileges of the web server process. This creates a persistent backdoor condition where attackers can maintain access and escalate privileges over time, particularly in environments where uploaded content is automatically processed or executed by the web server.
Security mitigations for this vulnerability should focus on immediate plugin updates to versions that address the ZIP extraction logic and implement proper path validation mechanisms. Organizations must enforce strict file upload policies and validate all file paths during decompression operations to prevent directory traversal attacks. The fix should include comprehensive cleanup procedures that ensure nested directories and files are properly removed after processing, preventing potential leftover artifacts that could be exploited in subsequent attacks. Additionally, implementing least privilege principles for user accounts and regular security audits of plugin installations can help prevent unauthorized access to vulnerable functionality.
This vulnerability aligns with CWE-22 Path Traversal and CWE-73 Path Traversal in the Common Weakness Enumeration catalog, representing a classic file system manipulation attack that has been documented extensively in security literature. The ATT&CK framework categorizes this under T1059 Command and Scripting Interpreter for PHP execution, while also mapping to T1486 Data Encrypted for Impact as attackers may use this vulnerability to establish persistent access. Organizations should also consider implementing web application firewalls with signature-based detection capabilities to identify and block malicious ZIP file extraction attempts that attempt to exploit similar vulnerabilities in other WordPress plugins or CMS components.