WPZOOM Portfolio < 1.2.2 - Contributor+ Stored XSS via Shortcode
Description
A stored XSS vulnerability in the WPZOOM Portfolio plugin before 1.2.2 allows contributors to inject arbitrary JavaScript via an unescaped shortcode attribute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in the WPZOOM Portfolio plugin before 1.2.2 allows contributors to inject arbitrary JavaScript via an unescaped shortcode attribute.
Vulnerability
The WPZOOM Portfolio WordPress plugin before version 1.2.2 fails to validate and escape one of its shortcode attributes. This flaw enables a stored Cross-Site Scripting (XSS) attack. The plugin uses shortcodes that accept attributes, and the vulnerable attribute is not sanitized before being output, allowing arbitrary HTML and JavaScript to be embedded. The required condition is that the plugin must be installed and active, and a user with the contributor role or higher must be able to add or edit posts that process the shortcode. Versions prior to 1.2.2 are affected [1].
Exploitation
An attacker with a contributor-level account (the lowest authoring role) can craft a post or page containing the vulnerable shortcode with a malicious attribute value containing JavaScript. When the post is viewed by another user, the injected script executes within the context of the victim's browser. No additional user interaction beyond viewing the affected page is needed. The researcher Lana Codes provided a proof of concept [1].
Impact
Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the browsers of users visiting the compromised page. This can result in session hijacking, defacement, theft of sensitive data, or redirection to malicious sites. The attack operates within the privileges of the victim's session, potentially affecting administrators and other high-privilege users.
Mitigation
The vulnerability is fixed in version 1.2.2 of the WPZOOM Portfolio plugin, released as of the public disclosure date on 2022-12-28 [1]. Users should update to version 1.2.2 or later immediately. No workarounds are documented; upgrading to the patched version is the sole mitigation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation and escaping of a shortcode attribute allows stored cross-site scripting."
Attack vector
An attacker with a role as low as Contributor can inject a malicious payload into an unvalidated shortcode attribute. When the shortcode is rendered on a page or post, the payload executes as Stored Cross-Site Scripting (XSS) in the browsers of visitors [ref_id=1]. The attack requires only the ability to create or edit posts containing the vulnerable shortcode.
Affected code
The advisory does not specify the exact file or function name. The vulnerability resides in a shortcode attribute of the WPZOOM Portfolio plugin that is not validated or escaped before output [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 1.2.2 of the WPZOOM Portfolio plugin [ref_id=1]. No patch diff is provided, but the fix presumably adds proper validation and escaping of the shortcode attribute that was previously unsanitized.
Preconditions
- authAttacker must have a WordPress user role of Contributor or higher.
- configThe vulnerable shortcode must be present and unpatched in the WPZOOM Portfolio plugin (version < 1.2.2).
Reproduction
The advisory does not include explicit reproduction steps beyond stating that a shortcode attribute is not validated or escaped [ref_id=1]. No public PoC with step-by-step instructions is provided in the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/5e816e9a-84e5-42d2-a7ff-e46be9072278mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.