Description
The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-02-14
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The AMP Enhancer plugin allows stored cross‑site scripting through the AMP Custom CSS setting. Insufficient input sanitization and output escaping enable an authenticated attacker with Administrator‑level access or higher to inject arbitrary JavaScript that will be executed whenever a page containing the custom CSS is viewed by a user. This flaw is a classic input‑validation weakness classified as CWE‑79.

Affected Systems

WordPress installations that use AMP Enhancer version 1.0.49 or earlier, specifically in multi‑site configurations or where the unfiltered_html capability has been disabled. Any site that grants Administrator privileges to a user can be used to inject malicious payloads into the custom CSS field.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, while the EPSS score of less than 1 % reflects a very low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Administrator or higher privileges and the ability to modify the AMP Custom CSS setting; once injected, the script will execute for all visitors to the affected pages.

Generated by OpenCVE AI on April 16, 2026 at 00:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AMP Enhancer to a version newer than 1.0.49, which removes the insecure handling of custom CSS.
  • Delete or clear any custom CSS entries that contain user‑supplied content to eliminate the stored scripts.
  • Limit the number of users with Administrator‑level access and audit roles to ensure only trusted accounts can modify the plugin settings.

Generated by OpenCVE AI on April 16, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ampenhancer
Ampenhancer amp Enhancer – Compatibility Layer For Official Amp Plugin
Wordpress
Wordpress wordpress
Vendors & Products Ampenhancer
Ampenhancer amp Enhancer – Compatibility Layer For Official Amp Plugin
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 04:45:00 +0000

Type Values Removed Values Added
Description The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title AMP Enhancer <= 1.0.49 - Authenticated (Administrator+) Stored Cross-Site Scripting via AMP Custom CSS Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ampenhancer Amp Enhancer – Compatibility Layer For Official Amp Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:43.544Z

Reserved: 2026-02-05T21:25:59.550Z

Link: CVE-2026-2027

cve-icon Vulnrichment

Updated: 2026-02-17T14:59:11.348Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T05:16:21.313

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:00:19Z

Weaknesses