Platform
wordpress
Component
twentig
Fixed in
1.9.8
CVE-2026-2602 is a stored Cross-Site Scripting (XSS) vulnerability found in the Twentig plugin for WordPress. This flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page, potentially leading to account compromise or other malicious actions. The vulnerability affects Twentig plugin versions up to and including 1.9.7 and is fixed in version 2.0.
CVE-2026-2602 in the Twentig Supercharged Block Editor plugin affects versions up to and including 1.9.7. It allows authenticated attackers, with Contributor-level access or higher, to inject arbitrary web scripts into WordPress pages. These scripts will execute whenever a user accesses the compromised page, potentially leading to sensitive information theft, website content manipulation, or redirection of users to malicious websites. The CVSS score of 6.4 indicates a medium risk, requiring prompt attention to prevent potential attacks. The lack of proper input sanitization of the 'featuredImageSizeWidth' parameter is the root cause of this vulnerability.
An attacker with Contributor or higher access can exploit this vulnerability by injecting malicious JavaScript code into the 'featuredImageSizeWidth' field of a page. This code will be stored in the database and executed in the browser of any user who visits the page, regardless of their permissions. The ease of exploitation, combined with the potential to affect all site users, makes this vulnerability a significant risk. The attacker could use this technique to steal session cookies, redirect users to phishing sites, or even take control of the website.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to update the Twentig Supercharged Block Editor plugin to version 2.0 or higher, which includes the security fix for CVE-2026-2602. If updating is not immediately possible, restrict access for users with Contributor-level access or higher, limiting their ability to edit pages. Implementing a Web Application Firewall (WAF) can also help detect and block malicious script injection attempts. Regular security audits of the website are also crucial for identifying and mitigating potential vulnerabilities.
Update to version 2.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
In WordPress, a user with the 'Contributor' role has permission to write and publish posts, but cannot install plugins or themes, or modify site settings.
In the WordPress admin dashboard, go to 'Plugins' and search for 'Twentig Supercharged Block Editor'. The plugin version will be displayed below the plugin name.
A WAF (Web Application Firewall) is a security tool that protects web applications from attacks. Several WAFs are available, both as WordPress plugins and cloud-based services. Research options like Wordfence, Sucuri, or Cloudflare.
While this might reduce the risk, it's not a complete solution. Updating to version 2.0 or higher is the safest way to address the vulnerability.
If you suspect your site has been compromised, immediately change all administrator passwords, scan your site for malware, and restore a clean backup of the site.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.