Attack Vectors
ZoomifyWP Free (slug: tz-zoomifywp-free) has a Medium-severity stored cross-site scripting (XSS) vulnerability (CVE-2026-1187, CVSS 6.4) affecting versions up to and including 1.1. The issue is reachable by a logged-in user with at least Contributor permissions.
The attack path is straightforward in many real-world WordPress setups: an authenticated user who can submit or edit content adds the zoomify shortcode and supplies a malicious value in the filename shortcode attribute. Because the plugin does not sufficiently sanitize input or escape output for that attribute, the injected script can be stored in the page and will execute when the page is viewed.
From a business-risk standpoint, this means the threat does not require an external hacker to “break in” first. It can be triggered by compromised contributor accounts, third-party contractors with content access, or internal users whose credentials are phished or reused.
Security Weakness
The weakness is a classic content-handling control gap: insufficient input sanitization and output escaping of user-supplied shortcode attributes. Specifically, the filename attribute in the zoomify shortcode can be used to store script content that later runs in a visitor’s browser.
Because this is stored XSS, the harmful content persists in your site’s pages until it is removed. It also crosses a trust boundary: content entered by a contributor can execute as if it were trusted site code when viewed by other users, including executives, customers, and administrators.
Technical or Business Impacts
Even at Medium severity, stored XSS is a practical business risk because it can undermine brand trust and disrupt revenue-generating web activity. If exploited in a marketing page, landing page, or blog post, it can inject unwanted pop-ups, redirects, or deceptive forms that confuse or defraud visitors.
Potential impacts include:
Brand and demand-gen harm: visitors may see unauthorized content, be redirected, or lose confidence in your site—reducing conversion rates and campaign ROI.
Data and session exposure risk: scripts running in a visitor’s browser can potentially access information available in the session context, which can be especially concerning for logged-in users and internal stakeholders reviewing drafts.
Compliance and reporting pressure: if malicious scripts lead to data exposure or customer harm, you may face escalations involving legal, compliance, and incident response communications.
Operational disruption: investigating and cleaning stored malicious content can consume marketing and IT time, delay campaigns, and require emergency changes to publishing workflows.
Remediation status: there is currently no known patch available for this issue. Based on risk tolerance, many organizations will choose to uninstall ZoomifyWP Free and replace it with an alternative. If uninstalling is not immediately feasible, consider mitigation steps that reduce exposure (for example, restricting who can create/edit content containing shortcodes, reviewing contributor access, and increasing monitoring for unexpected content changes) while you plan a replacement.
Similar Attacks
Stored XSS in WordPress plugins has been used in real incidents to alter pages and compromise user trust. Examples include:
Recent Comments