关键漏洞信息 Vulnerability: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) CVE: CVE-2026-2489 CVSS Score: 4.4 (Medium) Publicly Published: February 25, 2026 Last Updated: February 26, 2026 Researcher: Muhammad Nur Ibnu Hubab (Ibnu) - Pondok Teknologi Affected Software Software Type: Plugin Software Slug: tp2wp-importer Patched?: No Affected Version: <= 1.1 Remediation: No known patch available. Recommended to uninstall the affected software and find a replacement. Description The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer settings page in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping when domains are saved via AJAX and rendered with echo implode() without esc_textarea(). This allows authenticated attackers to inject arbitrary web scripts in pages that execute whenever a user accesses the attachment importer settings page.