CVE-2025-9512: 
WordPress vulnerability analysis and mitigation

The Schema & Structured Data for WP & AMP WordPress plugin before version 1.50 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-9512. The vulnerability was discovered by Matthew Rollings and publicly disclosed on September 10, 2025. This security flaw affects all versions of the plugin prior to version 1.50 (WPScan).

The vulnerability stems from improper handling of HTML tag attribute modifications in the plugin. The issue allows unauthenticated attackers to conduct Stored XSS attacks through post comments. The vulnerability has been assigned a CVSS score of 8.8 (high), indicating its significant severity. The flaw is classified under CWE-79 and falls into the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When successfully exploited, the vulnerability allows unauthenticated attackers to inject malicious scripts that execute in the context of other users viewing the affected pages. This could lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been patched in version 1.50 of the Schema & Structured Data for WP & AMP plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).