Atomic Edge analysis of CVE-2026-2027 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the AMP Enhancer WordPress plugin, affecting versions up to and including 1.0.49. The issue resides in the plugin’s AMP Custom CSS setting functionality. Attackers with administrator-level privileges or higher can inject malicious scripts that persist and execute when a user views a compromised page. The CVSS score of 4.4 reflects a lower attack complexity and a scope change, indicating the attack can impact other site components.

Atomic Edge research infers the root cause is improper neutralization of user input (CWE-79). The vulnerability description explicitly cites insufficient input sanitization and output escaping on user-supplied attributes for the AMP Custom CSS setting. This suggests the plugin likely accepts custom CSS input via an administrative interface, stores it without adequate sanitization, and later outputs it without proper escaping. The condition that it only affects multi-site installations or those with the `unfiltered_html` capability disabled confirms the plugin relies on WordPress’s native capability-based filtering, which is absent in these configurations.

The exploitation method requires an authenticated attacker with administrator privileges. The attacker would navigate to the plugin’s settings page in the WordPress admin area, likely under a menu like ‘AMP Enhancer’ or within the ‘Settings’ section. The attacker would then submit a malicious payload within the ‘AMP Custom CSS’ field. A realistic payload would close an existing HTML tag or attribute and inject a JavaScript event handler, such as `alert(document.domain)`. The payload is stored by the plugin and subsequently rendered without escaping on the site’s front-end AMP pages.

Effective remediation requires implementing proper output escaping. The plugin developers must ensure any user-controlled data rendered in HTML context uses WordPress escaping functions like `esc_html()` or `esc_attr()`. For CSS contexts, specific CSS escaping or validation is necessary. Input sanitization for CSS should also be strengthened, but output escaping remains the primary defense, especially against stored XSS.

Successful exploitation leads to stored XSS. Injected scripts execute in the browser of any user visiting an affected AMP page. This allows an attacker to perform actions within the victim’s session, such as stealing cookies, redirecting users, or modifying page content. The impact is amplified because the vulnerability affects stored content, enabling persistent attacks against all site visitors. The requirement for administrator credentials limits immediate widespread abuse but poses a significant threat in compromised admin account scenarios or insider attacks.