CVE-2026-2489
Stored XSS in TP2WP Importer Plugin Allows Admin Script Injection
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp2wp_importer | tp2wp_importer | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting Administrator-level access to trusted users only, as exploitation requires authenticated admin privileges.
Avoid entering or accepting untrusted input in the 'Watched domains' textarea until a patch or update is available.
Monitor for updates or patches from the plugin author or WordPress plugin repository and apply them promptly once released.
Can you explain this vulnerability to me?
The TP2WP Importer plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'Watched domains' textarea on the attachment importer settings page. This vulnerability exists in all versions up to and including 1.1. It occurs because the plugin does not properly sanitize input or escape output when domains are saved via AJAX and then rendered using echo implode() without esc_textarea().
As a result, an authenticated attacker with Administrator-level access or higher can inject arbitrary web scripts that will execute whenever any user accesses the attachment importer settings page.
How can this vulnerability impact me? :
This vulnerability allows an attacker with Administrator-level access to inject malicious scripts into the plugin's settings page. These scripts execute in the context of users who visit that page, potentially leading to unauthorized actions such as stealing session cookies, performing actions on behalf of users, or spreading malware.
Because the attacker must already have high-level privileges, the risk is somewhat mitigated, but it still poses a threat to site integrity and user security.
The CVSS v3.1 base score is 4.4, indicating a medium severity impact with low confidentiality and integrity impact but no availability impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored Cross-Site Scripting (XSS) in the 'Watched domains' textarea of the TP2WP Importer plugin settings page. Detection would involve checking for malicious script injections in the 'Watched domains' field within the WordPress admin interface.
Since the vulnerability requires authenticated Administrator-level access to inject scripts, detection on the network level is limited. However, you can inspect the contents of the 'Watched domains' setting in the plugin's database entries or via the WordPress admin UI for suspicious script tags or encoded JavaScript.
No specific commands are provided in the available resources to detect this vulnerability automatically.