CVE-2024-6896: 
WordPress vulnerability analysis and mitigation

The AMP for WP – Accelerated Mobile Pages plugin for WordPress (versions up to 1.0.96.1) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-6896). The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on July 24, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping when handling SVG file uploads. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file (NVD).

Users should update to version 1.0.97 or later of the AMP for WP plugin, which contains the security fix. The patch has been documented in the WordPress plugin repository (WordPress Plugin).