CVE-2026-2489
Received Received - Intake
Stored XSS in TP2WP Importer Plugin Allows Admin Script Injection

Publication date: 2026-02-26

Last updated on: 2026-02-26

Assigner: Wordfence

Description
The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer settings page in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping when domains are saved via AJAX and rendered with echo implode() without esc_textarea(). This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the attachment importer settings page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2489
EUVD
EUVD-2026-8807
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tp2wp_importer tp2wp_importer to 1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting Administrator-level access to trusted users only, as exploitation requires authenticated admin privileges.

Avoid entering or accepting untrusted input in the 'Watched domains' textarea until a patch or update is available.

Monitor for updates or patches from the plugin author or WordPress plugin repository and apply them promptly once released.

Executive Summary

The TP2WP Importer plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'Watched domains' textarea on the attachment importer settings page. This vulnerability exists in all versions up to and including 1.1. It occurs because the plugin does not properly sanitize input or escape output when domains are saved via AJAX and then rendered using echo implode() without esc_textarea().

As a result, an authenticated attacker with Administrator-level access or higher can inject arbitrary web scripts that will execute whenever any user accesses the attachment importer settings page.

Impact Analysis

This vulnerability allows an attacker with Administrator-level access to inject malicious scripts into the plugin's settings page. These scripts execute in the context of users who visit that page, potentially leading to unauthorized actions such as stealing session cookies, performing actions on behalf of users, or spreading malware.

Because the attacker must already have high-level privileges, the risk is somewhat mitigated, but it still poses a threat to site integrity and user security.

The CVSS v3.1 base score is 4.4, indicating a medium severity impact with low confidentiality and integrity impact but no availability impact.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) in the 'Watched domains' textarea of the TP2WP Importer plugin settings page. Detection would involve checking for malicious script injections in the 'Watched domains' field within the WordPress admin interface.

Since the vulnerability requires authenticated Administrator-level access to inject scripts, detection on the network level is limited. However, you can inspect the contents of the 'Watched domains' setting in the plugin's database entries or via the WordPress admin UI for suspicious script tags or encoded JavaScript.

No specific commands are provided in the available resources to detect this vulnerability automatically.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart