<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AMP for WP - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/amp-for-wp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 14:18:39 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/amp-for-wp/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-6101 — Arbitrary File Write in AMP for WP Plugin for WordPress</title><link>https://feed.craftedsignal.io/briefs/2026-07-amp-for-wp-file-write/</link><pubDate>Tue, 07 Jul 2026 14:18:39 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-amp-for-wp-file-write/</guid><description>An arbitrary file write vulnerability (CVE-2026-6101) exists in the AMP for WP – Accelerated Mobile Pages plugin for WordPress, affecting versions up to and including 1.1.12. This flaw, caused by unsafe ZIP file extraction and inadequate cleanup, allows authenticated attackers with Author-level access and administrator-granted permissions to write arbitrary files to web-accessible server locations, potentially leading to remote code execution.</description><content:encoded><![CDATA[<p>The AMP for WP – Accelerated Mobile Pages plugin for WordPress, impacting versions up to and including 1.1.12, contains an arbitrary file write vulnerability, identified as CVE-2026-6101. This flaw stems from unsafe ZIP file extraction within the <code>ampforwp_save_local_font()</code> function, compounded by inadequate cleanup of nested directories and files. Exploitation requires authenticated attackers with Author-level access and administrator-granted permissions. Successful exploitation allows the attacker to write arbitrary files to web-accessible server locations, which can lead to remote code execution on the compromised WordPress instance. This vulnerability poses a significant risk to affected WordPress sites as it can lead to full system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains authenticated access to a WordPress site with Author-level privileges.</li>
<li>An Administrator grants the attacker permissions that allow the use of a plugin feature which invokes the <code>ampforwp_save_local_font()</code> function.</li>
<li>The attacker crafts a specially designed ZIP archive containing malicious PHP webshell code, structured to exploit path traversal during extraction.</li>
<li>The attacker uploads this crafted ZIP file via the vulnerable WordPress plugin functionality, triggering the <code>ampforwp_save_local_font()</code> function.</li>
<li>Due to unsafe ZIP file extraction, the malicious PHP file is written to a web-accessible directory on the server, outside its intended location, and inadequate cleanup fails to remove it.</li>
<li>The attacker subsequently accesses the newly written malicious PHP file through a direct web request, triggering its execution on the server.</li>
<li>Successful execution of the malicious PHP file leads to remote code execution (RCE) on the underlying server, allowing arbitrary command execution and further system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-6101 grants authenticated attackers the ability to write arbitrary files to the web server, potentially leading to full remote code execution (RCE) on the WordPress instance. This can result in complete compromise of the website, including data theft, defacement, or further lateral movement within the hosting environment. While specific victim counts are not provided, WordPress sites utilizing the affected AMP for WP plugin versions are at risk. The CVSS v3.1 Base Score of 7.5 indicates a high severity vulnerability, reflecting the critical consequences of successful exploitation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-6101 immediately by updating the AMP for WP – Accelerated Mobile Pages plugin to version 1.1.13 or newer.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>arbitrary-file-write</category><category>rce</category><category>webserver</category></item></channel></rss>