CVE-2026-2027 identifies a stored cross-site scripting vulnerability (CWE-79) in the AMP Enhancer – Compatibility Layer for the Official AMP Plugin for WordPress, present in all versions up to and including 1.0.49. The vulnerability stems from improper neutralization of user input in the AMP Custom CSS setting, where insufficient sanitization and output escaping allow injection of arbitrary JavaScript code. This flaw specifically affects multi-site WordPress installations where the unfiltered_html capability is disabled, limiting the ability to insert raw HTML but not preventing script injection via this vector. Exploitation requires an attacker to have authenticated administrator-level access or higher, enabling them to embed malicious scripts that persist in the site content. These scripts execute in the context of any user visiting the affected pages, potentially compromising user sessions, stealing credentials, or performing unauthorized actions. The vulnerability does not require user interaction to trigger once the malicious script is injected. The CVSS 3.1 base score is 4.4, reflecting network attack vector, high attack complexity, high privileges required, no user interaction, and limited confidentiality and integrity impact without availability impact. No public exploit code or active exploitation has been reported. The vulnerability highlights the risk of insufficient input validation in plugin settings that accept user-supplied CSS, especially in multi-site environments where administrative privileges are shared or delegated.

The primary impact of CVE-2026-2027 is the potential for persistent cross-site scripting attacks on WordPress sites using the vulnerable AMP Enhancer plugin in multi-site configurations. Successful exploitation could allow attackers with administrator privileges to inject malicious JavaScript that executes in the browsers of site visitors and administrators. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, defacement, or distribution of malware. While the vulnerability requires high privileges to exploit, it poses a significant risk in environments where administrator accounts may be compromised or where insider threats exist. The multi-site context increases risk by potentially affecting multiple sites under a single WordPress installation. Given the widespread use of WordPress globally and the popularity of AMP for mobile optimization, organizations relying on this plugin could face reputational damage, data breaches, and operational disruptions if the vulnerability is exploited. However, the medium CVSS score and requirement for high privileges limit the threat to scenarios involving privileged user compromise.

To mitigate CVE-2026-2027, organizations should immediately update the AMP Enhancer – Compatibility Layer plugin to a version where this vulnerability is fixed once available. Until a patch is released, administrators should restrict access to the AMP Custom CSS setting to only the most trusted users and audit administrator accounts for suspicious activity. Enabling strict input validation and sanitization on custom CSS inputs can reduce risk. Additionally, consider disabling or limiting multi-site installations if not required, as the vulnerability specifically affects multi-site setups. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in CSS fields can provide temporary protection. Regularly monitoring logs for unusual administrator actions and conducting security awareness training for privileged users will help prevent exploitation. Finally, ensure that the WordPress core, themes, and other plugins are kept up to date to minimize overall attack surface.