WordPress WPZOOM Portfolio Plugin XSS Vulnerability (CVE-2026-49069)
A critical reflected cross-site scripting (XSS) vulnerability, CVE-2026-49069, affects the WPZOOM Portfolio plugin (version 1.4.21 and earlier) for WordPress, enabling unauthenticated attackers to inject malicious JavaScript into web pages via the `wpzoom_load_more_items` AJAX action, leading to client-side script execution in victims' browsers.
A publicly available exploit has been published on Exploit-DB detailing a reflected Cross-Site Scripting (XSS) vulnerability, CVE-2026-49069, affecting the WordPress Plugin WPZOOM Portfolio, specifically versions up to and including 1.4.21. This flaw resides within the wpzoom_load_more_items AJAX action, which is accessible to unauthenticated users without proper nonce validation or privilege checks. Attackers can exploit this by crafting a malicious POST request that injects arbitrary JavaScript into the posts_data parameter's class key. Although sanitize_text_field() strips angle brackets, it fails to sanitize single quotes, allowing an attacker to break out of HTML attribute contexts and inject event handlers like onmouseover. The presence of a working Proof of Concept (PoC) significantly increases the immediate risk to organizations using vulnerable versions of this plugin.
Attack Chain
- An unauthenticated attacker crafts a malicious HTTP POST request.
- The request targets the
/wp-admin/admin-ajax.phpendpoint on the vulnerable WordPress site. - The POST request body includes
action=wpzoom_load_more_itemsand aposts_dataparameter containing the XSS payload:{"source":"post","class":"x' onmouseover='alert(document.domain)' y='"}. - The server processes the
wpzoom_load_more_itemsAJAX action;sanitize_text_field()is applied toposts_data, stripping angle brackets but preserving single quotes. - The attacker-controlled
classvalue is subsequently concatenated directly into single-quoted HTML attributes within theitems_html()function without context-aware output escaping (e.g.,<li class='{$class}_item ...'>). - The server's response includes the crafted HTML, such as
<li class='x' onmouseover='alert(document.domain)' y='_item ...'>, which is then rendered in a victim's browser. - When a victim's browser renders the affected page and the victim interacts with the vulnerable element (e.g., hovering over the loaded portfolio item), the injected
onmouseoverJavaScript event handler executes. - The attacker achieves client-side script execution, potentially leading to session hijacking, defacement, or redirection to malicious sites.
Impact
The successful exploitation of CVE-2026-49069 can lead to various client-side attacks, including session hijacking, defacement of the affected WordPress site, redirection of users to malicious websites, or the delivery of further malware. Since the vulnerability is unauthenticated and widely affects WordPress installations using the WPZOOM Portfolio plugin up to version 1.4.21, any user browsing the compromised site could become a victim. Organizations using this plugin could face reputation damage, data breaches, and significant operational disruption if their sites are exploited.
Recommendation
- Patch immediately: Upgrade the WPZOOM Portfolio plugin to a version greater than 1.4.21 to remediate CVE-2026-49069.
- Deploy the Sigma rule: Deploy the
Detect WordPress WPZOOM Portfolio XSS Exploitation (CVE-2026-49069)Sigma rule provided in this brief to your SIEM and tune for your environment to detect exploitation attempts. - Monitor web server logs: Regularly review web server access logs for suspicious POST requests to
/wp-admin/admin-ajax.phpcontaining unusualposts_dataparameters, as outlined in the provided IOCs.
Detection coverage 1
Detect WordPress WPZOOM Portfolio XSS Exploitation (CVE-2026-49069)
highDetects CVE-2026-49069 exploitation in WordPress WPZOOM Portfolio plugin via specific XSS payload in wpzoom_load_more_items AJAX action. This reflected XSS uses single quotes to break out of HTML attributes.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
domain
| Type | Value |
|---|---|
| domain | wpzoom.com |
| domain | wordpress.org |