The TP2WP Importer plugin for WordPress suffers from a stored cross-site scripting vulnerability identified as CVE-2026-2489. This vulnerability exists in the 'Watched domains' textarea on the attachment importer settings page, where input is accepted via AJAX and saved without proper sanitization or escaping. Specifically, the plugin uses echo implode() to render the saved domains but fails to apply esc_textarea(), allowing malicious JavaScript code to be stored and executed in the context of the WordPress admin interface. Exploitation requires the attacker to have authenticated Administrator-level access or higher, enabling them to inject arbitrary scripts that execute whenever any user with access visits the affected settings page. The vulnerability impacts confidentiality and integrity by enabling script injection, potentially leading to session hijacking, unauthorized actions, or further compromise of the WordPress environment. The CVSS 3.1 score is 4.4 (medium), reflecting network attack vector, high attack complexity, required privileges, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly.

The primary impact of this vulnerability is the potential for stored XSS attacks within the WordPress administrative interface. An attacker with Administrator privileges can inject malicious scripts that execute in the browsers of other administrators or users with access to the attachment importer settings page. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of legitimate users, or deployment of further malware within the WordPress environment. While the vulnerability requires high privileges to exploit, the consequences can be severe in environments where multiple administrators manage the site. The scope is limited to sites using the TP2WP Importer plugin, but given WordPress's widespread use, affected sites could be globally distributed. The vulnerability does not affect availability but compromises confidentiality and integrity of the affected systems.

To mitigate this vulnerability, organizations should immediately update the TP2WP Importer plugin once a patched version is released by the vendor. Until a patch is available, administrators should restrict access to the attachment importer settings page to only the most trusted users and consider disabling or uninstalling the plugin if it is not essential. Additionally, applying manual input validation and output escaping in the plugin code—specifically using esc_textarea() when rendering the 'Watched domains' field—can reduce risk. Monitoring administrative accounts for suspicious activity and enforcing strong authentication controls can also help limit exploitation. Regular security audits of installed plugins and adherence to the principle of least privilege for WordPress users will further reduce exposure. Finally, web application firewalls (WAFs) with rules targeting stored XSS payloads may provide temporary protection.