Security Advisory - Published 2026-06-12 - WordPress plugin
Schema & Structured Data for WP & AMP CVE-2026-9067: file-upload self-check
CVE-2026-9067 affects the Schema & Structured Data for WP & AMP plugin before 1.60. The risk is in frontend AJAX file-upload handling: capability checks and file content validation were not strict enough for handlers meant to accept media.
Who should check
- WordPress sites using Schema & Structured Data for WP & AMP below 1.60.
- Sites where visitors can submit forms, reviews, frontend content, or media.
- Agencies with SEO plugin bundles installed across many WordPress sites.
- WooCommerce or publisher sites where unexpected uploaded files would be high impact.
10-minute self-check
Check the plugin version
wp plugin list | grep -i "schema"
wp plugin get schema-and-structured-data-for-wp --field=version 2>/dev/null
grep -Rni "Version:" wp-content/plugins/schema-and-structured-data-for-wp 2>/dev/null | head Version 1.60 is the patch target. If WP-CLI is not available, check the plugin folder header or the WordPress admin plugins page.
Review recent uploads
find wp-content/uploads -type f -mtime -7 -print | head -200
find wp-content/uploads -type f \\( -name "*.php" -o -name "*.phtml" -o -name "*.phar" -o -name "*.html" -o -name "*.js" \\) -print 2>/dev/null Media libraries should not contain PHP-like files. HTML and JavaScript files may be legitimate on some sites, but they need owner and timestamp review when this plugin was exposed.
Check user and plugin changes
wp user list --fields=ID,user_login,user_email,roles,registered
wp plugin list --status=active
find wp-content/plugins wp-content/mu-plugins wp-content/themes -type f -mtime -7 -print | head -200 File upload issues often matter because they can become a foothold for later changes. Check new administrators, new plugins, modified themes, and mu-plugins before you declare the site clean.
Safe fix path
- Update Schema & Structured Data for WP & AMP to 1.60 or newer.
- Restrict public upload and form endpoints until the update is complete.
- Scan
wp-content/uploads,plugins,mu-plugins, and active themes for recent changes. - Rotate WordPress admin passwords if suspicious files or users appear.
- Keep web server logs for the period before patching.
Ping7 repair path
Ping7 can review plugin version, uploads, WordPress users, modified files, and post-patch cleanup. Use CVE Repair and include the site URL, plugin version, hosting panel, and whether visitors can submit content.