VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 14 known issues Latest disclosed Jan 08, 2026

AMP for WP – Accelerated Mobile Pages Vulnerabilities

Review known vulnerability records for the WordPress plugin AMP for WP – Accelerated Mobile Pages (`accelerated-mobile-pages`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-0627, CVE-2025-14468 and CVE-2024-11254, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
14
High or Critical
1
Patch Coverage
100%
Last Updated
Jan 15, 2026
Priority CVE Quick Links

Fast paths into AMP for WP – Accelerated Mobile Pages CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
13
CVE-2024-9598 High 1.0.99.2
CVE-2024-9598 AMP for WP – Accelerated Mobile Pages Cross-Site Request Forgery

AMP for WP – Accelerated Mobile Pages <= 1.0.99.1 - Cross-Site Request Forgery to Privilege Escalation

CVE-2024-1043 Medium 1.0.93.2
CVE-2024-1043 AMP for WP – Accelerated Mobile Pages Vulnerability

AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

CVE-2026-0627 Medium 1.1.11
CVE-2026-0627 AMP for WP – Accelerated Mobile Pages File Upload

AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload

CVE-2024-6896 Medium 1.0.97
CVE-2024-6896 AMP for WP – Accelerated Mobile Pages File Upload

AMP for WP – Accelerated Mobile Pages <= 1.0.96.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

CVE-2023-6782 Medium 1.0.92.1
CVE-2023-6782 AMP for WP – Accelerated Mobile Pages Stored Cross-Site Scripting

AMP for WP – Accelerated Mobile Pages <= 1.0.92 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode

CVE-2023-48321 Medium 1.0.89
CVE-2023-48321 AMP for WP – Accelerated Mobile Pages Stored Cross-Site Scripting

Accelerated Mobile Pages <= 1.0.88.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

CVE-2024-11254 Medium 1.1.2
CVE-2024-11254 AMP for WP – Accelerated Mobile Pages Cross-Site Scripting

AMP for WP – Accelerated Mobile Pages <= 1.1.1 - Reflected Cross-Site Scripting

CVE-2024-0587 Medium 1.0.93
CVE-2024-0587 AMP for WP – Accelerated Mobile Pages Cross-Site Scripting

Accelerated Mobile Pages <= 1.0.92.1 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for AMP for WP – Accelerated Mobile Pages so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
14 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 1 high severity finding.
Recent CVEs
CVE-2026-0627, CVE-2025-14468 and CVE-2024-11254
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for AMP for WP – Accelerated Mobile Pages

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-0627
CVE-2026-0627: AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `` tags while allowing other XSS vectors such as even...

Published
Jan 08, 2026
Patched Release
1.1.11
Affected Versions
Versions up to 1.1.10
Next Step
Update to 1.1.11 or newer if supported.
Open CVE-2026-0627 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14468
CVE-2025-14468: AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID nonce...

Published
Jan 06, 2026
Patched Release
1.1.10
Affected Versions
Versions up to 1.1.9
Next Step
Update to 1.1.10 or newer if supported.
Open CVE-2025-14468 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-11254
CVE-2024-11254: AMP for WP – Accelerated Mobile Pages <= 1.1.1 - Reflected Cross-Site Scripting

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the disqus_name parameter in all versions up to, and including, 1.1.1 due to insufficient input validation. This makes it possible for unauthenticated attackers to i...

Published
Dec 17, 2024
Patched Release
1.1.2
Affected Versions
Versions up to 1.1.1
Next Step
Update to 1.1.2 or newer if supported.
Open CVE-2024-11254 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-9598
CVE-2024-9598: AMP for WP – Accelerated Mobile Pages <= 1.0.99.1 - Cross-Site Request Forgery to Privilege Escalation

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.99.1. This is due to missing or incorrect nonce validation on the 'proxy' function. This makes it possible for unauthenticated atta...

Published
Oct 24, 2024
Patched Release
1.0.99.2
Affected Versions
Versions up to 1.0.99.1
Next Step
Update to 1.0.99.2 or newer if supported.
Open CVE-2024-9598 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-43146
CVE-2024-43146: AMP for WP <= 1.0.96.1 - Missing Authorization

The AMP for WP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions like 'enable_amp_pagebuilder' and 'amppb_save_layout_data' in versions up to, and including, 1.0.96.1. This makes it possible for authenti...

Published
Aug 07, 2024
Patched Release
1.0.97
Affected Versions
Versions up to 1.0.96.1
Next Step
Update to 1.0.97 or newer if supported.
Open CVE-2024-43146 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-6896
CVE-2024-6896: AMP for WP – Accelerated Mobile Pages <= 1.0.96.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.96.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published
Jul 23, 2024
Patched Release
1.0.97
Affected Versions
Versions up to 1.0.96.1
Next Step
Update to 1.0.97 or newer if supported.
Open CVE-2024-6896 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-1043
CVE-2024-1043: AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'amppb_remove_saved_layout_data' function in all versions up to, and including, 1.0.93.1. This makes it possible for authenticated at...

Published
Feb 06, 2024
Patched Release
1.0.93.2
Affected Versions
Versions up to 1.0.93.1
Next Step
Update to 1.0.93.2 or newer if supported.
Open CVE-2024-1043 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-0587
CVE-2024-0587: Accelerated Mobile Pages <= 1.0.92.1 - Reflected Cross-Site Scripting

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'disqus_name' parameter in all versions up to, and including, 1.0.92.1 due to insufficient input sanitization and output escaping on the executed JS file. This m...

Published
Jan 22, 2024
Patched Release
1.0.93
Affected Versions
Versions up to 1.0.92.1
Next Step
Update to 1.0.93 or newer if supported.
Open CVE-2024-0587 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-6782
CVE-2023-6782: AMP for WP – Accelerated Mobile Pages <= 1.0.92 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.92 due to insufficient input sanitization and output escaping on user supplied attributes. This make...

Published
Dec 18, 2023
Patched Release
1.0.92.1
Affected Versions
Versions up to 1.0.92
Next Step
Update to 1.0.92.1 or newer if supported.
Open CVE-2023-6782 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-48321
CVE-2023-48321: Accelerated Mobile Pages <= 1.0.88.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.88.1 due to insufficient input sanitization and output escaping on user supplied attributes. This ma...

Published
Nov 28, 2023
Patched Release
1.0.89
Affected Versions
Versions up to 1.0.88.1
Next Step
Update to 1.0.89 or newer if supported.
Open CVE-2023-48321 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-23209
CVE-2021-23209: AMP for WP <= 1.0.77.32 - Authenticated Stored Cross-Site Scripting

Multiple Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) vulnerabilities discovered in AMP for WP – Accelerated Mobile Pages WordPress plugin (versions

Published
Dec 15, 2021
Patched Release
1.0.77.33
Affected Versions
Versions up to 1.0.77.32
Next Step
Update to 1.0.77.33 or newer if supported.
Open CVE-2021-23209 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-23150
CVE-2021-23150: AMP for WP – Accelerated Mobile Pages <= 1.0.77.31 - Authenticated (Admin+) Stored Cross-Site Scripting

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability discovered in AMP for WP – Accelerated Mobile Pages WordPress plugin (versions

Published
Dec 11, 2021
Patched Release
1.0.77.32
Affected Versions
Versions up to 1.0.77.31
Next Step
Update to 1.0.77.32 or newer if supported.
Open CVE-2021-23150 Report Open CVE Reference