Product
A critical reflected cross-site scripting (XSS) vulnerability, CVE-2026-49069, affects the WPZOOM Portfolio plugin (version 1.4.21 and earlier) for WordPress, enabling unauthenticated attackers to inject malicious JavaScript into web pages via the `wpzoom_load_more_items` AJAX action, leading to client-side script execution in victims' browsers.