CVE-2026-2027 identifies a stored cross-site scripting (XSS) vulnerability in the AMP Enhancer – Compatibility Layer for the Official AMP Plugin for WordPress, versions up to and including 1.0.49. The vulnerability stems from improper neutralization of input during web page generation, specifically in the AMP Custom CSS setting, where user-supplied attributes are not adequately sanitized or escaped before being rendered. This flaw allows an authenticated attacker with Administrator-level access or higher to inject arbitrary JavaScript code into pages served by the affected WordPress multi-site installations. The vulnerability is constrained to multi-site environments where the unfiltered_html capability is disabled, limiting the attack surface to certain configurations. Upon successful exploitation, the injected scripts execute in the context of any user visiting the compromised pages, potentially leading to session hijacking, privilege escalation, or defacement. The attack vector requires network access but no user interaction beyond the attacker’s own authenticated session. The CVSS v3.1 score of 4.4 reflects the medium severity, considering the requirement for high privileges and the limited impact on availability. No public exploits have been reported, and no patches are currently linked, indicating that mitigation may require configuration changes or vendor updates once available.

For European organizations, especially those operating WordPress multi-site environments with the AMP Enhancer plugin, this vulnerability poses a risk of unauthorized script execution that can compromise administrative sessions and site integrity. While the attack requires administrator-level access, insider threats or compromised credentials could enable exploitation. The injected scripts could be used to steal sensitive information, manipulate site content, or pivot to further attacks within the network. Given the widespread use of WordPress in Europe, particularly in sectors such as media, education, and government, the vulnerability could affect high-profile targets. The limitation to multi-site installations and disabled unfiltered_html reduces the overall exposure but does not eliminate risk for organizations with complex WordPress deployments. The medium severity rating suggests that while the vulnerability is not critical, it still demands timely attention to prevent potential reputational damage and data confidentiality breaches.

European organizations should immediately audit their WordPress environments to identify multi-site installations using the AMP Enhancer plugin up to version 1.0.49. Until an official patch is released, administrators should consider disabling or restricting access to the AMP Custom CSS setting to prevent malicious input. Implementing strict role-based access controls to limit administrator privileges and monitoring for unusual administrative activity can reduce exploitation risk. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting the AMP Custom CSS parameter can provide interim protection. Additionally, enabling security plugins that sanitize inputs and outputs or applying manual code reviews to the plugin’s handling of CSS inputs may mitigate the vulnerability. Organizations should also educate administrators about the risks of privilege misuse and enforce strong authentication mechanisms, such as multi-factor authentication, to prevent credential compromise. Regular backups and incident response plans should be updated to handle potential XSS incidents.