CVE-2026-1187 identifies a stored cross-site scripting vulnerability in the ZoomifyWP Free plugin for WordPress, specifically in all versions up to and including 1.1. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'filename' parameter of the 'zoomify' shortcode. This flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a risk to multi-user WordPress sites using this plugin. The lack of a patch at the time of reporting necessitates interim mitigations to prevent exploitation.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, compromising user sessions, leaking sensitive information, or enabling further attacks such as privilege escalation or defacement. Organizations with collaborative content creation environments are particularly vulnerable since contributors can inject malicious payloads. The confidentiality and integrity of data and user accounts are at risk, potentially damaging organizational reputation and trust. While availability is not directly impacted, indirect effects such as site defacement or administrative lockout could occur. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and government, exploitation could have significant operational and reputational consequences.

Organizations should monitor for an official patch from the plugin vendor and apply it promptly once available. Until then, restrict Contributor-level access to trusted users only and audit existing content for suspicious scripts. Implement web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the 'filename' parameter. Employ Content Security Policy (CSP) headers to limit script execution sources. Additionally, consider disabling or replacing the ZoomifyWP Free plugin if it is not critical to operations. Regularly review user permissions and enforce the principle of least privilege. Conduct security awareness training for contributors to recognize and avoid injecting unsafe content. Finally, maintain up-to-date backups to enable recovery if an attack occurs.