CVE-2025-9512: 
WordPress vulnerability analysis and mitigation

The Schema & Structured Data for WP & AMP WordPress plugin before version 1.50 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-9512. The vulnerability was discovered by Matthew Rollings and publicly disclosed on September 10, 2025. This security flaw affects all versions of the plugin prior to version 1.50 (WPScan).

The vulnerability stems from improper handling of HTML tag attribute modifications in the plugin. The issue allows unauthenticated attackers to conduct Stored XSS attacks through post comments. The vulnerability has been assigned a CVSS score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD).

When successfully exploited, the vulnerability allows attackers to inject malicious scripts that execute in the context of other users viewing the affected pages. This could lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim's browser (WPScan).

The recommended mitigation is to update the Schema & Structured Data for WP & AMP plugin to version 1.50 or later, which contains the security fix for this vulnerability (WPScan).