Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS.
This issue affects WPZOOM Portfolio: from n/a through 1.4.21.
AnalysisAI
Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (versions up to and including 1.4.21) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. Because the CVSS scope is Changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically enabling session hijacking or actions against the WordPress admin context. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Technical ContextAI
The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in the WPZOOM Portfolio plugin, a WordPress add-on (CPE cpe:2.3:a:wpzoom:wpzoom_portfolio) used to display portfolio content. The plugin reflects user-controlled input back into a rendered page without proper output encoding or sanitization, allowing attacker-supplied HTML/JavaScript to execute in the context of the WordPress site. As a reflected XSS, the malicious payload is delivered via a crafted URL or form parameter rather than being persisted server-side, and execution depends on the victim's browser rendering the response.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data - WordPress administrators should update the WPZOOM Portfolio plugin to the latest available release (any version newer than 1.4.21) via the WordPress plugin dashboard and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpzoom-portfolio/vulnerability/wordpress-wpzoom-portfolio-plugin-1-4-21-cross-site-scripting-xss-vulnerability for exact fix version details. If immediate patching is not possible, compensating controls include deactivating the WPZOOM Portfolio plugin (which removes any portfolio pages from the front end), deploying a WAF rule or Patchstack vPatch to filter reflected XSS payloads targeting the plugin's vulnerable parameters (may produce false positives on legitimate query strings), or enforcing a strict Content Security Policy that disallows inline script execution (can break themes/plugins that rely on inline JavaScript). Administrators should also remind privileged users not to click untrusted links while logged into wp-admin.
More in Wpzoom Portfolio
View allReflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (all versions up to and including 1.4.29) lets r
The WPZOOM Portfolio Lite - Filterable Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scriptin
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36010
GHSA-pvvf-jf93-577x