CVE-2026-2602 is a stored cross-site scripting vulnerability identified in the Twentig Supercharged Block Editor WordPress plugin, versions up to and including 1.9.7. The vulnerability stems from improper neutralization of input during web page generation, specifically involving the 'featuredImageSizeWidth' parameter. This parameter is insufficiently sanitized and escaped, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79 and has a CVSS v3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring authentication but no user interaction beyond page viewing. The scope is changed as the vulnerability affects other users beyond the attacker. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the Twentig plugin for content management. The lack of available patches at the time of publication necessitates immediate mitigation efforts by administrators.

The primary impact of this vulnerability is on the confidentiality and integrity of WordPress sites using the Twentig plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users, potentially stealing session cookies, performing actions on behalf of users, or defacing content. This can lead to unauthorized access escalation, data leakage, and reputational damage. While availability is not directly affected, the compromised integrity and confidentiality can disrupt normal operations and trust in the affected websites. Organizations relying on WordPress for public-facing content, especially those with multiple contributors, face increased risk of targeted attacks exploiting this vulnerability. The medium severity score reflects the need for timely remediation to prevent exploitation, particularly in environments with many authenticated users.

To mitigate CVE-2026-2602, organizations should first update the Twentig plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should restrict Contributor-level access to trusted users only and consider temporarily disabling the plugin if feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious input patterns targeting the 'featuredImageSizeWidth' parameter can reduce exploitation risk. Additionally, applying Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script execution sources. Regularly auditing user roles and permissions to minimize unnecessary privileges will also reduce the attack surface. Monitoring logs for unusual activity related to page content changes or script injections can help detect attempted exploitation early. Finally, educating content contributors about safe input practices and the risks of injecting untrusted content is advisable.