<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WordPress 6.x - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/wordpress-6.x/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 13:23:23 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/wordpress-6.x/feed.xml" rel="self" type="application/rss+xml"/><item><title>WordPress WPZOOM Portfolio Plugin XSS Vulnerability (CVE-2026-49069)</title><link>https://feed.craftedsignal.io/briefs/2026-07-wpzoom-portfolio-xss/</link><pubDate>Mon, 06 Jul 2026 13:23:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wpzoom-portfolio-xss/</guid><description>A critical reflected cross-site scripting (XSS) vulnerability, CVE-2026-49069, affects the WPZOOM Portfolio plugin (version 1.4.21 and earlier) for WordPress, enabling unauthenticated attackers to inject malicious JavaScript into web pages via the `wpzoom_load_more_items` AJAX action, leading to client-side script execution in victims' browsers.</description><content:encoded><![CDATA[<p>A publicly available exploit has been published on Exploit-DB detailing a reflected Cross-Site Scripting (XSS) vulnerability, CVE-2026-49069, affecting the WordPress Plugin WPZOOM Portfolio, specifically versions up to and including 1.4.21. This flaw resides within the <code>wpzoom_load_more_items</code> AJAX action, which is accessible to unauthenticated users without proper nonce validation or privilege checks. Attackers can exploit this by crafting a malicious POST request that injects arbitrary JavaScript into the <code>posts_data</code> parameter's <code>class</code> key. Although <code>sanitize_text_field()</code> strips angle brackets, it fails to sanitize single quotes, allowing an attacker to break out of HTML attribute contexts and inject event handlers like <code>onmouseover</code>. The presence of a working Proof of Concept (PoC) significantly increases the immediate risk to organizations using vulnerable versions of this plugin.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious HTTP POST request.</li>
<li>The request targets the <code>/wp-admin/admin-ajax.php</code> endpoint on the vulnerable WordPress site.</li>
<li>The POST request body includes <code>action=wpzoom_load_more_items</code> and a <code>posts_data</code> parameter containing the XSS payload: <code>{&quot;source&quot;:&quot;post&quot;,&quot;class&quot;:&quot;x' onmouseover='alert(document.domain)' y='&quot;}</code>.</li>
<li>The server processes the <code>wpzoom_load_more_items</code> AJAX action; <code>sanitize_text_field()</code> is applied to <code>posts_data</code>, stripping angle brackets but preserving single quotes.</li>
<li>The attacker-controlled <code>class</code> value is subsequently concatenated directly into single-quoted HTML attributes within the <code>items_html()</code> function without context-aware output escaping (e.g., <code>&lt;li class='{$class}_item ...'&gt;</code>).</li>
<li>The server's response includes the crafted HTML, such as <code>&lt;li class='x' onmouseover='alert(document.domain)' y='_item ...'&gt;</code>, which is then rendered in a victim's browser.</li>
<li>When a victim's browser renders the affected page and the victim interacts with the vulnerable element (e.g., hovering over the loaded portfolio item), the injected <code>onmouseover</code> JavaScript event handler executes.</li>
<li>The attacker achieves client-side script execution, potentially leading to session hijacking, defacement, or redirection to malicious sites.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-49069 can lead to various client-side attacks, including session hijacking, defacement of the affected WordPress site, redirection of users to malicious websites, or the delivery of further malware. Since the vulnerability is unauthenticated and widely affects WordPress installations using the WPZOOM Portfolio plugin up to version 1.4.21, any user browsing the compromised site could become a victim. Organizations using this plugin could face reputation damage, data breaches, and significant operational disruption if their sites are exploited.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch immediately:</strong> Upgrade the WPZOOM Portfolio plugin to a version greater than 1.4.21 to remediate CVE-2026-49069.</li>
<li><strong>Deploy the Sigma rule:</strong> Deploy the <code>Detect WordPress WPZOOM Portfolio XSS Exploitation (CVE-2026-49069)</code> Sigma rule provided in this brief to your SIEM and tune for your environment to detect exploitation attempts.</li>
<li><strong>Monitor web server logs:</strong> Regularly review web server access logs for suspicious POST requests to <code>/wp-admin/admin-ajax.php</code> containing unusual <code>posts_data</code> parameters, as outlined in the provided IOCs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>wordpress</category><category>webapps</category><category>cve</category></item></channel></rss>