The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories and files. This makes it possible for authenticated attackers, with Author-level access and above, and permissions granted by an Administrator, to write arbitrary files to the server in a web-accessible location, potentially leading to remote code execution on hosts that execute PHP files in the uploads directory.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-6101 affects the AMP for WP plugin (versions ≤1.1.12) and exploits unsafe ZIP file extraction within the ampforwp_save_local_font() function. The vulnerability allows authenticated attackers with Author-level permissions or higher to write arbitrary files to web-accessible directories on affected servers. This is particularly dangerous because it bypasses file upload restrictions by abusing the plugin's internal font handling mechanism, combined with inadequate cleanup that leaves nested directories intact. WordPress site administrators who have granted Author privileges to multiple users face significant risk, as the attack requires only legitimate platform access rather than zero-day exploitation.
While this CVE does not map to specific MITRE ATT&CK techniques, Casky's Claude AI-powered analysis would identify attack patterns consistent with CWE-73 (External Control of File Name or Path) by detecting suspicious file write operations, extraction activities, and post-exploitation artifacts. Practitioners using Casky would observe detection signals around: (1) unexpected ZIP archive processing in plugin directories, (2) file creation in web-accessible paths outside normal application behavior, (3) nested directory structures appearing after font update operations, and (4) permission changes on newly written files. Security teams would correlate these findings with user activity logs to identify which Author-level accounts triggered the malicious extraction, enabling rapid incident response and privilege review across the WordPress installation.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-6101. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation