CVE-2026-2489 is a stored cross-site scripting vulnerability in the readymadeweb TP2WP Importer WordPress plugin affecting all versions up to 1.1. The issue occurs due to improper neutralization of input in the 'Watched domains' textarea on the attachment importer settings page. Specifically, domains saved via AJAX are output using echo implode() without applying esc_textarea(), leading to insufficient sanitization and escaping. Authenticated users with Administrator privileges can exploit this to inject malicious scripts that execute when the settings page is viewed. The vulnerability has a CVSS 3.1 base score of 4.4 (medium severity), with attack vector network, high attack complexity, requiring high privileges, no user interaction, and impacts confidentiality and integrity with no availability impact.

An authenticated attacker with Administrator-level access or higher can inject and store malicious scripts in the plugin's settings page. These scripts execute in the context of the WordPress admin interface when the attachment importer settings page is accessed, potentially allowing theft of sensitive information, session hijacking, or other actions limited to the administrator's privileges. The impact is limited to confidentiality and integrity, with no direct availability impact. The vulnerability requires high privileges and has high attack complexity, reducing the likelihood of exploitation by lower-privileged users.

No official patch or fix is currently documented for this vulnerability. Administrators should monitor the vendor's advisory channels for updates or patches. Until a fix is available, restrict access to the attachment importer settings page to trusted administrators only. Avoid using the 'Watched domains' textarea feature if possible. Applying manual input sanitization or output escaping in the plugin code could mitigate the issue but requires developer intervention. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.