Attack Vectors

The vulnerability (CVE-2026-2027) affects the WordPress plugin AMP Enhancer – Compatibility Layer for Official AMP Plugin (slug: amp-enhancer) in versions up to and including 1.0.49. It is rated Medium severity (CVSS 4.4) and involves Stored Cross-Site Scripting (XSS) through the plugin’s “AMP Custom CSS” setting.

This is an authenticated attack path: it requires an attacker to have Administrator-level access (or higher). Once that access exists, the attacker can place malicious script content into the AMP Custom CSS field, which can then execute when someone views an affected page.

Importantly for risk scoping, the reported exposure is limited to multi-site installations and to sites where unfiltered_html has been disabled. If your organization operates WordPress in a multi-site configuration, this increases the relevance for enterprises, franchises, and groups managing multiple web properties from a shared environment.

Security Weakness

The core weakness is insufficient input sanitization and output escaping of user-supplied attributes in the AMP Custom CSS setting. In practical terms, the plugin does not adequately prevent dangerous content from being stored and later rendered in a way that the browser treats as executable script.

Because this is a stored issue, it can persist in the system and trigger repeatedly until it is found and removed. While the severity is Medium, the “stored” nature makes it a reliability and governance concern—especially in organizations where multiple administrators, agencies, or third parties have privileged access to the WordPress environment.

Technical or Business Impacts

A successful stored XSS event can undermine trust in your digital brand and introduce business risk that extends beyond “a website bug.” If a malicious script runs in a visitor’s browser, it can potentially manipulate what users see on your site, alter on-page messaging, or interfere with forms and conversion flows—creating measurable marketing and revenue impacts.

From a business operations perspective, this can also increase the risk of data exposure in the context of user sessions and site functionality, and it may trigger compliance review requirements depending on your industry and internal controls. For marketing directors and executives, the key concern is that unauthorized script content can affect customer experience, campaign integrity, and brand reputation without being obvious in everyday content reviews.

There is currently no known patch available for AMP Enhancer – Compatibility Layer for Official AMP Plugin (through 1.0.49). Given that, organizations should consider mitigations aligned to risk tolerance—up to and including uninstalling the affected plugin and replacing it. You can review the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-2027 and the source advisory at Wordfence Threat Intelligence.

Similar Attacks

Stored XSS is a common class of web vulnerability that has impacted major platforms and plugins over time, often leading to defacement, fraudulent redirects, and compromised user experiences. For general background and real-world context, see:

CISA Alert: WordPress vulnerabilities could allow remote code execution (historical context)

Wordfence blog (examples of WordPress plugin vulnerabilities, including XSS patterns)