PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6101 mohammed_kaludi CVE debrief

The CVE-2026-6101 vulnerability is an Arbitrary File Write issue in the AMP for WP – Accelerated Mobile Pages plugin for WordPress. This vulnerability exists due to unsafe ZIP file extraction in the ampforwp_save_local_font() function, combined with inadequate cleanup that fails to remove nested directories and files. Authenticated attackers with Author-level access and above, and permissions granted by an Administrator, can exploit this to write arbitrary files to the server in a web-accessible location. This could potentially lead to remote code execution on hosts that execute PHP files in the uploads directory.

Vendor
mohammed_kaludi
Product
AMP for WP – Accelerated Mobile Pages
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

WordPress site administrators and users of the AMP for WP – Accelerated Mobile Pages plugin should be aware of this vulnerability, especially if they have not updated to a patched version. The vulnerability allows for arbitrary file writes, which can lead to remote code execution under certain conditions.

Technical summary

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. The vulnerability arises from unsafe ZIP file extraction in the ampforwp_save_local_font() function and inadequate cleanup that fails to remove nested directories and files. Authenticated attackers with Author-level access and above, and permissions granted by an Administrator, can write arbitrary files to the server in a web-accessible location. This could potentially lead to remote code execution on hosts that execute PHP files in the uploads directory.

Defensive priority

High

Recommended defensive actions

  • Update the AMP for WP – Accelerated Mobile Pages plugin to a version beyond 1.1.12.
  • Restrict file write permissions in web-accessible directories.
  • Monitor server logs for suspicious file write activities.
  • Implement additional security measures such as web application firewalls (WAFs) to detect and prevent exploitation attempts.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-07T14:16:34.543Z and was last modified on 2026-07-07T15:16:49.807Z. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The NVD entry is currently Deferred.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T14:16:34.543Z and has not been modified since then. The NVD entry is currently Deferred.