How is CVE-2026-49069 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to reach the target web server via HTTP or HTTPS. Authentication (not-required): No account or session credential is needed; the attacker can deliver the malicious payload as an anonymous visitor. Victim interaction (required): The attack is reflected (not stored), so the victim must click or follow a crafted URL supplied by the attacker for the payload to execute. Attack complexity (info): Exploit conditions are straightforward and reliable - no race conditions or special environmental configuration are needed beyond delivering the malicious link to the victim.

What is the impact of CVE-2026-49069?

Attacker executes arbitrary JavaScript in the authenticated victim's browser session, enabling theft of session cookies and authentication tokens. Attacker can read or exfiltrate page content visible to the victim, including any sensitive data rendered in the WordPress admin or front-end context. Attacker can perform actions on the WordPress site on the victim's behalf, such as modifying settings or publishing content, if the victim holds sufficient privileges. The affected service itself experiences limited availability impact, consistent with the CVSS A:L rating, such as partial disruption of the page rendering experience for the targeted user.

Back to search

HIGHCVE-2026-49069Published 2026-06-10Modified 2026-06-10CNA Patchstack

CVE-2026-49069: WordPress WPZOOM Portfolio plugin <= 1.4.21 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-49069?

Reflected cross-site scripting (XSS) in the WPZOOM Portfolio WordPress plugin (versions 1.4.21 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript into a victim's browser by tricking them into clicking a crafted link. The vulnerability is reachable over the network without any login credentials, but requires the victim to follow an attacker-controlled URL. Successful exploitation lets the attacker execute arbitrary scripts in the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions taken on behalf of the victim. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-49069 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment WPZOOM ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS. This issue affects WPZOOM Portfolio: from n/a through 1.4.21.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected cross-site scripting (XSS) in the WPZOOM Portfolio WordPress plugin (versions 1.4.21 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript into a victim's browser by tricking them into clicking a crafted link. The vulnerability is reachable over the network without any login credentials, but requires the victim to follow an attacker-controlled URL. Successful exploitation lets the attacker execute arbitrary scripts in the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions taken on behalf of the victim. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-49069 is available across every HarborGuard environment - the CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the WPZOOM Portfolio plugin. Any image at version 1.4.21 or earlier is flagged automatically.

Available

Triage

Triage is available with the recorded CVSS 3.1 score of 7.1 (HIGH), weighted against each customer organization's per-environment compliance policy to determine priority and routing. Findings are dispatched to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment WPZOOM ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to reach the target web server via HTTP or HTTPS.
AuthenticationNot required
No account or session credential is needed; the attacker can deliver the malicious payload as an anonymous visitor.
Victim interactionRequired
The attack is reflected (not stored), so the victim must click or follow a crafted URL supplied by the attacker for the payload to execute.
Attack complexityDetail
Exploit conditions are straightforward and reliable - no race conditions or special environmental configuration are needed beyond delivering the malicious link to the victim.

Blast Radius

Attacker executes arbitrary JavaScript in the authenticated victim's browser session, enabling theft of session cookies and authentication tokens.
Attacker can read or exfiltrate page content visible to the victim, including any sensitive data rendered in the WordPress admin or front-end context.
Attacker can perform actions on the WordPress site on the victim's behalf, such as modifying settings or publishing content, if the victim holds sufficient privileges.
The affected service itself experiences limited availability impact, consistent with the CVSS A:L rating, such as partial disruption of the page rendering experience for the targeted user.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no upstream fix published as of the recorded date. HarborGuard re-evaluates the WPZOOM Portfolio advisory on every ingest cycle so that a patched-image rebuild becomes available automatically the moment version 1.4.22 or later is released. In the interim, compensating controls available within HarborGuard include network-policy annotations that restrict inbound traffic to the affected WordPress service, and policy rules that flag any new image deployments bundling plugin versions 1.4.21 or earlier. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be opened without manual intervention once the upstream patch is published. Where compliance policy permits, customers can also use HarborGuard's advisory-watch notifications to receive real-time alerts the moment the fix version is ingested.

See how HarborGuard automates this

Affected packages

WPZOOM / WPZOOM Portfolio
≤ 1.4.21

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified