Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS.

This issue affects WPZOOM Portfolio: from n/a through 1.4.21.
Published: 2026-06-10
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WPZOOM Portfolio contains an improper neutralization of user‑supplied input during page rendering, classified as CWE‑79. The vulnerability allows an attacker to inject malicious script into a reflected response. When a victim clicks a crafted link, the script runs inside the victim’s browser context, enabling actions such as session hijacking, cookie theft, or the injection of additional malicious content. The impact is limited to the victim who views the compromised URL and does not affect the server itself.

Affected Systems

WordPress installations that use the WPZOOM Portfolio plugin version 1.4.21 or earlier are affected. The plugin must be updated to at least 1.4.22 to eliminate the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for reflected XSS. No EPSS score is available, so the current exploit probability is unknown, and the issue is not listed in the CISA KEV catalog. The likely attack path involves a reflected request, with no authentication required, making exploitation straightforward for attackers who can embed a malicious URL in a link that reaches an authorised user.

Generated by OpenCVE AI on June 10, 2026 at 14:36 UTC.

Remediation

Vendor Solution

Update the WordPress WPZOOM Portfolio Plugin to the latest available version (at least 1.4.22).

OpenCVE Recommended Actions

  • Upgrade the WPZOOM Portfolio Plugin to version 1.4.22 or higher.
  • If an update cannot occur immediately, disable the plugin or set the portfolio pages to private so the vulnerable code is not exposed to the public.
  • Implement a Content Security Policy that restricts script sources to mitigate the effects of any retained XSS vectors until the patch is deployed.

Generated by OpenCVE AI on June 10, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpzoom
Wpzoom wpzoom Portfolio
Vendors & Products Wordpress
Wordpress wordpress
Wpzoom
Wpzoom wpzoom Portfolio

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS. This issue affects WPZOOM Portfolio: from n/a through 1.4.21.
Title WordPress WPZOOM Portfolio plugin <= 1.4.21 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpzoom Wpzoom Portfolio
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-10T15:09:57.355Z

Reserved: 2026-05-27T10:26:54.457Z

Link: CVE-2026-49069

cve-icon Vulnrichment

Updated: 2026-06-10T15:09:52.192Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:34.220

Modified: 2026-06-10T14:16:34.220

Link: CVE-2026-49069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T14:45:32Z

Weaknesses