{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2602", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-16T21:06:07.204Z", "datePublished": "2026-03-29T01:24:46.055Z", "dateUpdated": "2026-03-29T01:24:46.055Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-29T01:24:46.055Z"}, "affected": [{"vendor": "twentig", "product": "Twentig Supercharged Block Editor \u2013 Blocks, Patterns, Starter Sites, Portfolio", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.9.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Twentig <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'featuredImageSizeWidth'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f07881db-7494-4e6d-82ea-16018fa81806?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486634/twentig"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-17T18:13:37.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-28T13:21:26.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2602", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-29T02:16:16.360", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3486634/twentig"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f07881db-7494-4e6d-82ea-16018fa81806?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Twentig Supercharged Block Editor \u2013 Blocks, Patterns, Starter Sites, Portfolio", "source": "cna", "vendor": "twentig"}, "product": "twentig_supercharged_block_editor_\u2013_blocks,_patterns,_starter_sites,_portfolio", "vendor": "twentig"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-29T06:21:02.904204+00:00", "value": {"mitigation_remediation": ["Upgrade the Twentig plugin to the newest version that fixes the XSS flaw.", "If an upgrade is not immediately possible, restrict Contributor\u2011level or higher access from the plugin\u2019s configuration interface or disable the featuredImageSizeWidth setting until a patch is released.", "After any change, verify that the value is no longer stored or rendered unsanitized in the plugin\u2019s output."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting enabling arbitrary JavaScript execution in users' browsers"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the Twentig Supercharged Block Editor \u2013 Blocks, Patterns, Starter Sites, Portfolio WordPress plugin for the vendor Twentig. All releases up to and including version 1.9.7 are impacted; any site running those versions is vulnerable unless the plugin is upgraded to a newer release that removes the flaw.", "description_and_impact": "The Twentig plugin for WordPress incorrectly handles the value entered into the featuredImageSizeWidth field, storing it without proper sanitization or escaping. When an authenticated user with Contributor-level privileges records a value, the data is later rendered on pages, allowing a stored cross\u2011site scripting flaw that can execute arbitrary JavaScript code in the browsers of visitors to the affected page.", "risk_and_exploitability": "The CVSS score of 6.4 classifies it as a medium\u2011severity issue. Exploitation requires an authenticated account with Contributor or higher privileges. Because the payload is stored, it will run whenever a user views the compromised page, potentially exposing the site to broader attacks; typical consequences of stored XSS include credential theft, session hijacking, or defacement, though these are inferred from the nature of the flaw and are not explicitly stated in the CVE description. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-03-29T20:31:50.470208+00:00", "updated": "2026-03-30T06:58:42.760754+00:00", "vendors": ["twentig", "twentig$PRODUCT$twentig_supercharged_block_editor_\u2013_blocks,_patterns,_starter_sites,_portfolio", "wordpress", "wordpress$PRODUCT$wordpress"]}