Home

Description

The Schema & Structured Data for WP & AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments.

PUBLISHED Reserved 2025-08-26 | Published 2025-10-01 | Updated 2025-10-01 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
unaffected

Any version before 1.50
affected

Credits

Matthew Rollings finder

WPScan coordinator

References

wpscan.com/...rability/e45d9335-3665-4155-abdf-9eeea250f1ba/ exploit vdb-entry technical-description

cve.org (CVE-2025-9512)

nvd.nist.gov (CVE-2025-9512)

Download JSON