CVE-2026-2602 in Twentig Supercharged Block Editor Plugin
Résumé (Anglaise)
The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Responsable
Wordfence
Réserver
16/02/2026
Divulgation
29/03/2026
Entrées
| Publié | Base | Temp | Vulnérabilité | CWE | Prod | Exp | Con | EPSS | CTI | CVE |
|---|---|---|---|---|---|---|---|---|---|---|
| 29/03/2026 | 4.9 | 4.9 | Twentig Supercharged Block Editor Plugin Parameter cross site scripting | 79 | WordPress Plugin | Non défini | Non défini | 0.00029 | 8.76- | CVE-2026-2602 |