Skip to main content

Wpzoom Portfolio

3 CVEs product

Monthly

CVE-2026-57712 HIGH This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (all versions up to and including 1.4.29) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1, the flaw requires user interaction and carries no public exploit identified at time of analysis and no CISA KEV listing. Impact is scoped to the session of whichever user is lured into clicking, including logged-in administrators.

XSS Wpzoom Portfolio
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-49069 HIGH POC This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (versions up to and including 1.4.21) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. Because the CVSS scope is Changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically enabling session hijacking or actions against the WordPress admin context. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

XSS Wpzoom Portfolio
NVD Exploit-DB VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2024-8276 MEDIUM PATCH This Month

The WPZOOM Portfolio Lite - Filterable Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:wpzoom-blocks' Gutenberg block in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wpzoom Portfolio
NVD
CVSS 3.1
5.4
EPSS
0.4%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (all versions up to and including 1.4.29) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1, the flaw requires user interaction and carries no public exploit identified at time of analysis and no CISA KEV listing. Impact is scoped to the session of whichever user is lured into clicking, including logged-in administrators.

XSS Wpzoom Portfolio
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (versions up to and including 1.4.21) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. Because the CVSS scope is Changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically enabling session hijacking or actions against the WordPress admin context. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

XSS Wpzoom Portfolio
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The WPZOOM Portfolio Lite - Filterable Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:wpzoom-blocks' Gutenberg block in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wpzoom Portfolio
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy