Can you explain this vulnerability to me?

The ZoomifyWP Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) through the 'filename' parameter of the 'zoomify' shortcode in all versions up to and including 1.1.

This vulnerability arises because the plugin does not properly sanitize or escape user-supplied input for the 'filename' attribute, allowing authenticated users with Contributor-level access or higher to inject arbitrary web scripts.

These injected scripts are stored and executed whenever any user accesses the page containing the injected shortcode, potentially compromising user sessions or site integrity.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow attackers with Contributor-level access or above to inject malicious scripts into WordPress pages via the 'filename' parameter.

When other users visit the affected pages, the malicious scripts execute in their browsers, which can lead to theft of user credentials, session hijacking, defacement, or unauthorized actions performed on behalf of users.

Because the vulnerability is a Stored Cross-Site Scripting issue, the impact can be widespread and persistent, affecting all users who view the compromised content.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "The vulnerability exists in the ZoomifyWP Free WordPress plugin versions up to and including 1.1, specifically in the 'filename' parameter of the 'zoomify' shortcode. Detection involves identifying if this plugin and vulnerable version is installed and if the shortcode is used with unsanitized input."}, {'type': 'paragraph', 'content': "To detect exploitation attempts or presence of the vulnerability, you can search for usage of the shortcode with suspicious or script-injected 'filename' parameters in WordPress posts or pages."}, {'type': 'list_item', 'content': "Use WP-CLI to search posts for the shortcode usage: wp post list --post_type=post --format=ids | xargs -I % wp post get % --field=post_content | grep '\\[zoomify.*filename=.*<script'"}, {'type': 'list_item', 'content': 'Check the plugin version installed by inspecting the plugin files or via WP-CLI: wp plugin get tz-zoomifywp-free --field=version'}, {'type': 'list_item', 'content': "Monitor web server logs for requests containing suspicious 'filename' parameters in URLs or POST data that include script tags or encoded payloads targeting the shortcode."}] [1, 4]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include removing or disabling the vulnerable ZoomifyWP Free plugin if it is installed, especially versions up to 1.1.'}, {'type': 'paragraph', 'content': 'Since the plugin has been closed as of February 12, 2026 pending review, avoid using it until a secure update is released.'}, {'type': 'list_item', 'content': 'Disable or uninstall the ZoomifyWP Free plugin from your WordPress installation.'}, {'type': 'list_item', 'content': "Review and sanitize any content using the [zoomify] shortcode, especially the 'filename' attribute, to remove any injected scripts."}, {'type': 'list_item', 'content': 'Restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires at least Contributor access to exploit.'}, {'type': 'list_item', 'content': 'Monitor your site for suspicious activity or injected scripts in pages that use the shortcode.'}] [3, 4]

Useful 0 Not Useful 0