{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/amp-for-wp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6101"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AMP for WP – Accelerated Mobile Pages plugin \u003c 1.1.13"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","arbitrary-file-write","rce","webserver"],"_cs_type":"advisory","_cs_vendors":["AMP for WP"],"content_html":"\u003cp\u003eThe AMP for WP – Accelerated Mobile Pages plugin for WordPress, impacting versions up to and including 1.1.12, contains an arbitrary file write vulnerability, identified as CVE-2026-6101. This flaw stems from unsafe ZIP file extraction within the \u003ccode\u003eampforwp_save_local_font()\u003c/code\u003e function, compounded by inadequate cleanup of nested directories and files. Exploitation requires authenticated attackers with Author-level access and administrator-granted permissions. Successful exploitation allows the attacker to write arbitrary files to web-accessible server locations, which can lead to remote code execution on the compromised WordPress instance. This vulnerability poses a significant risk to affected WordPress sites as it can lead to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site with Author-level privileges.\u003c/li\u003e\n\u003cli\u003eAn Administrator grants the attacker permissions that allow the use of a plugin feature which invokes the \u003ccode\u003eampforwp_save_local_font()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specially designed ZIP archive containing malicious PHP webshell code, structured to exploit path traversal during extraction.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads this crafted ZIP file via the vulnerable WordPress plugin functionality, triggering the \u003ccode\u003eampforwp_save_local_font()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to unsafe ZIP file extraction, the malicious PHP file is written to a web-accessible directory on the server, outside its intended location, and inadequate cleanup fails to remove it.\u003c/li\u003e\n\u003cli\u003eThe attacker subsequently accesses the newly written malicious PHP file through a direct web request, triggering its execution on the server.\u003c/li\u003e\n\u003cli\u003eSuccessful execution of the malicious PHP file leads to remote code execution (RCE) on the underlying server, allowing arbitrary command execution and further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6101 grants authenticated attackers the ability to write arbitrary files to the web server, potentially leading to full remote code execution (RCE) on the WordPress instance. This can result in complete compromise of the website, including data theft, defacement, or further lateral movement within the hosting environment. While specific victim counts are not provided, WordPress sites utilizing the affected AMP for WP plugin versions are at risk. The CVSS v3.1 Base Score of 7.5 indicates a high severity vulnerability, reflecting the critical consequences of successful exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-6101 immediately by updating the AMP for WP – Accelerated Mobile Pages plugin to version 1.1.13 or newer.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T14:18:39Z","date_published":"2026-07-07T14:18:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-amp-for-wp-file-write/","summary":"An arbitrary file write vulnerability (CVE-2026-6101) exists in the AMP for WP – Accelerated Mobile Pages plugin for WordPress, affecting versions up to and including 1.1.12. This flaw, caused by unsafe ZIP file extraction and inadequate cleanup, allows authenticated attackers with Author-level access and administrator-granted permissions to write arbitrary files to web-accessible server locations, potentially leading to remote code execution.","title":"CVE-2026-6101 — Arbitrary File Write in AMP for WP Plugin for WordPress","url":"https://feed.craftedsignal.io/briefs/2026-07-amp-for-wp-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed - AMP for WP","version":"https://jsonfeed.org/version/1.1"}