CVE-2026-49069
Received Received - Intake
Reflected Cross-Site Scripting in WPZOOM Portfolio

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS. This issue affects WPZOOM Portfolio: from n/a through 1.4.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-49069
EUVD
EUVD-2026-36010
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpzoom portfolio From 1.0.0 (inc) to 1.4.21 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is a Cross Site Scripting (XSS) issue in the WPZOOM Portfolio WordPress plugin versions 1.4.21 and below.

It occurs due to improper neutralization of input during web page generation, allowing attackers to inject malicious scripts into the website.

These malicious scripts execute when visitors access the affected site, potentially leading to harmful effects.

Exploitation requires user interaction, such as clicking a malicious link or visiting a specially crafted page.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of your website.

Such attacks can lead to theft of user data, session hijacking, defacement of the website, or distribution of malware to visitors.

Because the attack requires user interaction, visitors who click on malicious links or visit crafted pages are at risk.

Overall, it compromises the security and trustworthiness of your website.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP requests that contain malicious scripts or unusual query parameters targeting the WPZOOM Portfolio plugin versions 1.4.21 and below.

Since the vulnerability involves reflected Cross-site Scripting (XSS), detection can involve inspecting web server logs for requests with suspicious payloads or using web application security scanners that test for XSS vulnerabilities.

No specific commands are provided in the available resources, but common approaches include using tools like curl or wget to test for reflected script injection, or employing security scanners such as OWASP ZAP or Burp Suite to identify XSS vulnerabilities.

Mitigation Strategies

The immediate recommended step is to update the WPZOOM Portfolio plugin to version 1.4.22 or later, which contains the patch for this vulnerability.

Until the plugin is updated, applying the mitigation rule provided by Patchstack to block attacks targeting this vulnerability is advised.

Additionally, monitoring and restricting suspicious user inputs and links that could trigger the reflected XSS can help reduce risk.

Compliance Impact

The vulnerability in WPZOOM Portfolio allows attackers to inject malicious scripts via a Cross Site Scripting (XSS) attack, which can lead to unauthorized access or manipulation of user data.

Such unauthorized access or data manipulation can potentially lead to violations of data protection regulations like GDPR or HIPAA, as these standards require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing user data to attackers or enabling malicious actions on the affected website.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart