We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress (CVE-2026-2027)

Nick Paliughi
On this page

Security Alert Summary

The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the AMP Custom CSS setting. Authenticated users with Administrator-level access and above can inject scripts that execute when an injected page is viewed. The issue affects multisite installations and sites where unfiltered_html is disabled.

CVE Details

  • CVE ID: CVE-2026-2027
  • Affected component: AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress
  • Affected versions: All versions up to, and including, 1.0.49
  • Published / Last modified: February 14, 2026 at 5:16 AM UTC (published); February 14, 2026 at 5:16 AM UTC (last modified)
  • CVSS v3.1: Base Score 4.4 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Requires an authenticated attacker with Administrator-level access and above (description). CVSS details: Privileges Required = HIGH, User Interaction = NONE.
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting (XSS) issue triggered via the AMP Custom CSS setting. According to the CVE description, insufficient input sanitization and output escaping on user-supplied attributes allows authenticated users with Administrator-level privileges to inject arbitrary web scripts into pages. These scripts execute whenever a user views an injected page.

The problem is associated with the plugin’s handling of custom AMP CSS input; references point to the admin file amp-enhancer-custom-css/amp-enhancer-custom-css.php, which is related to management of the AMP Custom CSS setting. The vulnerability specifically affects multisite installations and installations where unfiltered_html has been disabled.

Impact is limited to what stored XSS typically allows given the stated privileges: execution of attacker-supplied scripts in the context of affected pages. The CVE and CVSS data do not indicate elevation of privileges beyond Administrator nor indicate direct impact to availability.

How This Could Impact Your Website

Imagine a WordPress network (multisite) where a contractor or an internal staff member with Administrator-level access updates site styles via the AMP Custom CSS field. An attacker with equivalent privileges could insert a script that runs when editors or end users view certain pages. Practical consequences include session token exposure in some contexts, leakage of user-facing data on affected pages, and increased risk of targeted phishing or social engineering against site staff and users.

The described vulnerability requires Administrator-level privileges to exploit, so it does not enable anonymous attackers to inject content — however, the presence of injected script execution can still harm user trust and allow targeted attacks against site users and staff.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE notes affected versions up to and including 1.0.49; a fixed version is not specified in the CVE entry.)
  • Review and reduce unnecessary user roles, especially users with Administrator-level access and Contributors who can manage content.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and logs for unusual behavior, especially changes to theme or plugin settings and unexpected edits to CSS or page content.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Appointment Booking Calendar Plugin 6 Bookr (CVE-2026-1932)
Next Post
WordPress Security Bulletin: Link Hopper Plugin Vulnerability (CVE-2025-15483)