Security Advisory - Published 2026-06-12 - WordPress plugin

Schema & Structured Data for WP & AMP CVE-2026-9067: file-upload self-check

CVE-2026-9067 affects the Schema & Structured Data for WP & AMP plugin before 1.60. The risk is in frontend AJAX file-upload handling: capability checks and file content validation were not strict enough for handlers meant to accept media.

Defensive scope: this guide checks plugin version, uploads, and WordPress state. It does not include upload requests, bypass strings, or testing steps for sites you do not own.

Who should check

  • WordPress sites using Schema & Structured Data for WP & AMP below 1.60.
  • Sites where visitors can submit forms, reviews, frontend content, or media.
  • Agencies with SEO plugin bundles installed across many WordPress sites.
  • WooCommerce or publisher sites where unexpected uploaded files would be high impact.

10-minute self-check

Check the plugin version

wp plugin list | grep -i "schema"
wp plugin get schema-and-structured-data-for-wp --field=version 2>/dev/null
grep -Rni "Version:" wp-content/plugins/schema-and-structured-data-for-wp 2>/dev/null | head

Version 1.60 is the patch target. If WP-CLI is not available, check the plugin folder header or the WordPress admin plugins page.

Review recent uploads

find wp-content/uploads -type f -mtime -7 -print | head -200
find wp-content/uploads -type f \\( -name "*.php" -o -name "*.phtml" -o -name "*.phar" -o -name "*.html" -o -name "*.js" \\) -print 2>/dev/null

Media libraries should not contain PHP-like files. HTML and JavaScript files may be legitimate on some sites, but they need owner and timestamp review when this plugin was exposed.

Check user and plugin changes

wp user list --fields=ID,user_login,user_email,roles,registered
wp plugin list --status=active
find wp-content/plugins wp-content/mu-plugins wp-content/themes -type f -mtime -7 -print | head -200

File upload issues often matter because they can become a foothold for later changes. Check new administrators, new plugins, modified themes, and mu-plugins before you declare the site clean.

Safe fix path

  1. Update Schema & Structured Data for WP & AMP to 1.60 or newer.
  2. Restrict public upload and form endpoints until the update is complete.
  3. Scan wp-content/uploads, plugins, mu-plugins, and active themes for recent changes.
  4. Rotate WordPress admin passwords if suspicious files or users appear.
  5. Keep web server logs for the period before patching.

Ping7 repair path

Ping7 can review plugin version, uploads, WordPress users, modified files, and post-patch cleanup. Use CVE Repair and include the site URL, plugin version, hosting panel, and whether visitors can submit content.

References