MeldSecurity
Press Enter to search
CVE Database & Search →
Sign In Get Started

CVE-2026-2027

🟡 MEDIUM

The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 du...

Published
Feb 14, 2026
Last Modified
Feb 14, 2026
Views
8
Bookmarks
0

Description

Request Expert Review

The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Scores

CVSS 3.1 4.4
4.4
MEDIUM
CVSS 2.0 4.4

References

gist.github.com plugins.trac.wordpress.org plugins.trac.wordpress.org www.wordfence.com

Additional Information

Source
security@wordfence.com
State
Received

Related CVEs

CVE-2026-2469

HIGH

Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downs...

Score: 7.6

CVE-2026-2144

HIGH

The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to...

Score: 8.1

CVE-2026-1983

MEDIUM

The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This...

Score: 4.3

CVE-2026-1912

MEDIUM

The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all version...

Score: 6.4

CVE-2026-1904

MEDIUM

The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' short...

Score: 6.4

CVE-2026-1754

MEDIUM

The personal-authors-category plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and includi...

Score: 6.1

Share CVE-2026-2027

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2026-2027 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis