Description
The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-29
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting enabling arbitrary JavaScript execution in users' browsers
Action: Immediate Patch
AI Analysis

Impact

The Twentig plugin for WordPress incorrectly handles the value entered into the featuredImageSizeWidth field, storing it without proper sanitization or escaping. When an authenticated user with Contributor-level privileges records a value, the data is later rendered on pages, allowing a stored cross‑site scripting flaw that can execute arbitrary JavaScript code in the browsers of visitors to the affected page.

Affected Systems

This vulnerability affects the Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio WordPress plugin for the vendor Twentig. All releases up to and including version 1.9.7 are impacted; any site running those versions is vulnerable unless the plugin is upgraded to a newer release that removes the flaw.

Risk and Exploitability

The CVSS score of 6.4 classifies it as a medium‑severity issue. Exploitation requires an authenticated account with Contributor or higher privileges. Because the payload is stored, it will run whenever a user views the compromised page, potentially exposing the site to broader attacks; typical consequences of stored XSS include credential theft, session hijacking, or defacement, though these are inferred from the nature of the flaw and are not explicitly stated in the CVE description. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on March 29, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Twentig plugin to the newest version that fixes the XSS flaw.
  • If an upgrade is not immediately possible, restrict Contributor‑level or higher access from the plugin’s configuration interface or disable the featuredImageSizeWidth setting until a patch is released.
  • After any change, verify that the value is no longer stored or rendered unsanitized in the plugin’s output.

Generated by OpenCVE AI on March 29, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Twentig
Twentig twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio
Wordpress
Wordpress wordpress
Vendors & Products Twentig
Twentig twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio
Wordpress
Wordpress wordpress

Sun, 29 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Twentig <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'featuredImageSizeWidth'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Twentig Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:14.691Z

Reserved: 2026-02-16T21:06:07.204Z

Link: CVE-2026-2602

cve-icon Vulnrichment

Updated: 2026-04-01T14:25:30.903Z

cve-icon NVD

Status : Deferred

Published: 2026-03-29T02:16:16.360

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-2602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:42Z

Weaknesses