A cross-site scripting (XSS) vulnerability exists within the WPZOOM Portfolio plug-in versions 1.4.21 or earlier.
This vulnerability enables the attacker to conduct an injection attack via an unauthenticated request that injects malicious JavaScript code. This security issue has been catalogued under CVE ID CVE-2026-49069.
The said vulnerability resides within wpzoom_load_more_items function call via an AJAX request, and it can be triggered by anyone without the need for any privilege escalation.
This is because the wpzoom_load_more_items AJAX event has no nonce check in place. An attacker can send a crafted request and inject JavaScript that executes when a victim views the affected page.
Flaw Operation
WPZOOM Portfolio Reflected XSS vulnerability flaw arises from the way the application uses posts_data POST variable and sanitizes it with sanitize_text_field() function. The content is JSON decoded to array and merged with $args with the help of wp_parse_args() function.
The class key, which is under the control of the attacker, gets assigned to $args['class'] and inserted directly into several single-quoted HTML attributes inside the items_html() function.
Examples are as follows:
- <li class='{$class}_item ...'>
- <article class='{$class}_item-wrap ...'>
- <h3 class='{$class}_item-title'>
The output contains single quotes around the HTML attribute values. The sanitization removes angle brackets but keeps single quotes.
An attacker can break out of the attribute string and inject arbitrary attributes, including malicious JavaScript event handlers.
The payload executes when the underlying query returns at least one published portfolio item.
Proof of Concept
An unauthenticated attacker sends the following POST request to the target site:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET
Content-Type: application/x-www-form-urlencoded
action=wpzoom_load_more_items&offset=0&posts_data={"source":"post","class":"x' onmouseover='alert(document.domain)' y='"}
The response reveals that the single quote breaks out of the class attribute structure:
<li class='x' onmouseover='alert(document.domain)' y='_item ...' data-category='1'>
When rendered in a victim's browser, triggering the event handler hovering over the loaded portfolio item executes the JavaScript code.
Impact
The WPZOOM Portfolio XSS vulnerability can enable the attacker to:
- Execute arbitrary JavaScript code in the browser environment of the victim
- Capture session cookies and act as authenticated user
- Deface the site
- Serve user to malicious websites
- Act on behalf of authenticated users
Since there is no authentication needed for this attack, any user can be the target.
The Cause of the Vulnerability
The problem results from incorrect output escaping. The plugin does not apply context-aware functions to escape output, such as esc_attr(). Although the sanitize_text_field() function can be used, it does not delete single quotes which can break out of the attribute context.
The Fix
The WPZOOM Portfolio plug-in suffering from XSS vulnerability flaw has been fixed in its newer version. Users should upgrade to the latest version of the plug-in.
In case an upgrade is unavailable, one may think about disabling the plug-in till it gets fixed. Web Application Firewalls are helpful in preventing the exploitation.
The Bottom Line
XSS vulnerability in the WPZOOM Portfolio plug-in highlights the significance of context-aware output encoding. Failure to use esc_attr() allows a user input in the form of a class name to become a means to execute JavaScript code.
Update the plug-in immediately. Check the output of the wpzoom_load_more_items AJAX action. It is also important that all the user inputs are encoded before displaying them.
FAQ Section
What does CVE-2026-49069 mean?
CVE-2026-49069 is the name of the XSS vulnerability in the WPZOOM Portfolio WordPress plugin which enables injection of malicious scripts into the website.
Which versions are affected?
WPZOOM Portfolio versions up to and including 1.4.21 are affected.
How is the attack carried out?
The hacker sends a custom request to the wpzoom_load_more_items function using the AJAX feature in which a bad class parameter is provided, leading to XSS because the plugin does not properly escape the input while building HTML attributes.
What can the attacker do?
The attacker will be able to run JavaScript code on the victim’s computer, hijack session cookies, deface the website, and direct the visitors to other malicious websites.
How will I solve this problem?
Update your WPZOOM Portfolio plug-in to its newest version.
What happens when I can’t update?
Disable your WPZOOM plugin or use web application firewall.