CVE-2026-2489

Name of the Vulnerable Software and Affected Versions TP2WP Importer plugin for WordPress versions up to and including 1.1

Description The software is susceptible to Stored Cross-Site Scripting through the 'Watched domains' textarea on the attachment importer settings page. This is caused by inadequate input sanitization and output escaping when domains are saved using AJAX and rendered with echo implode() without esc textarea(). Authenticated attackers with Administrator-level access or higher can inject arbitrary web scripts into pages that execute when a user accesses the attachment importer settings page. The vulnerable parameter is Watched domains.

Recommendations Update the TP2WP Importer plugin to a version beyond 1.1.