CVE-2026-2602
Stored XSS in Twentig WordPress Plugin Allows Script Injection
Publication date: 2026-03-29
Last updated on: 2026-03-29
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| twentig | twentig | to 1.9.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Twentig plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'featuredImageSizeWidth' parameter in versions up to and including 1.9.7.
This vulnerability exists because the plugin does not properly sanitize input or escape output for this parameter.
As a result, authenticated users with Contributor-level access or higher can inject malicious scripts into pages.
These scripts will execute whenever any user accesses the affected page.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to inject arbitrary web scripts into pages.
When other users visit these pages, the malicious scripts will execute in their browsers.
This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware.
The vulnerability has a CVSS v3.1 base score of 6.4, indicating a medium severity with network attack vector, low attack complexity, and no user interaction required.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the Twentig WordPress plugin, you should update the plugin to version 2.0 or later, where the issue has been fixed.
This update addresses the Stored Cross-Site Scripting vulnerability caused by insufficient input sanitization and output escaping in the 'featuredImageSizeWidth' parameter.
Additionally, restrict Contributor-level access and above to trusted users only, as the vulnerability requires authenticated access at that level.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'featuredImageSizeWidth' parameter in the Twentig WordPress plugin versions up to 1.9.7. Detection typically involves identifying if the vulnerable plugin version is installed and if the parameter is being exploited.
To detect the vulnerability on your system, first verify the installed version of the Twentig plugin. You can do this by checking the plugin version in the WordPress admin dashboard or by running the following command on the server:
- grep -i 'twentig' wp-content/plugins/twentig/readme.txt
To detect potential exploitation attempts on your network, you can monitor HTTP requests for suspicious payloads in the 'featuredImageSizeWidth' parameter. For example, using command-line tools like tcpdump or tshark to filter HTTP POST or GET requests containing this parameter:
- tshark -Y 'http.request.method == "POST" && http.request.uri.query contains "featuredImageSizeWidth"' -T fields -e http.host -e http.request.uri
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'featuredImageSizeWidth'
Additionally, scanning your WordPress site for stored XSS payloads in pages or posts where the parameter might be injected can help detect exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Twentig plugin allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via Stored Cross-Site Scripting (XSS). This can lead to unauthorized script execution when users access the injected pages.
Such vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or manipulation of user data, potentially resulting in data breaches or exposure of personal information.
Specifically, GDPR requires organizations to protect personal data against unauthorized processing and ensure data integrity and confidentiality. Stored XSS vulnerabilities can undermine these requirements by enabling attackers to execute malicious scripts that could steal user data or credentials.
Similarly, HIPAA mandates safeguards to protect electronic protected health information (ePHI). Exploitation of such vulnerabilities could compromise ePHI confidentiality and integrity, leading to non-compliance.