CVE-2026-1187 identifies a stored Cross-Site Scripting (XSS) vulnerability in the ZoomifyWP Free plugin for WordPress, specifically in all versions up to and including 1.1. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'filename' parameter of the 'zoomify' shortcode. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, reflecting a medium severity with a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and a scope change (S:C). The impact affects confidentiality and integrity partially but does not impact availability. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where multiple users have editing privileges. The plugin is widely used in WordPress installations that require image zooming functionality, making the vulnerability relevant to many websites globally. Mitigation involves updating the plugin once a patch is available or implementing strict input validation and output encoding on the 'filename' parameter. Additionally, restricting Contributor-level access and monitoring for suspicious activity can reduce exploitation risk.

The vulnerability allows authenticated users with Contributor-level access or higher to inject malicious scripts that execute in the browsers of other users viewing the affected pages. This can lead to partial compromise of confidentiality through session hijacking or theft of sensitive information accessible via the browser. Integrity may also be impacted if attackers manipulate page content or perform unauthorized actions on behalf of other users. Although availability is not directly affected, the trustworthiness of the website and user data integrity can be undermined. Organizations using the ZoomifyWP Free plugin are at risk of targeted attacks, especially in collaborative environments with multiple content editors. The scope of affected systems is broad due to the widespread use of WordPress and this plugin. Exploitation requires authentication but no user interaction, making it easier for attackers with limited privileges to escalate their impact. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks. Overall, the vulnerability can facilitate persistent XSS attacks that degrade user trust and site security.

1. Immediately update the ZoomifyWP Free plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. 3. Implement server-side input validation and output encoding for the 'filename' parameter in the 'zoomify' shortcode to neutralize malicious scripts. 4. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns related to this plugin. 5. Conduct regular security audits and code reviews of WordPress plugins, especially those handling user input. 6. Monitor logs for unusual activity or content changes associated with the 'zoomify' shortcode usage. 7. Educate content editors about the risks of injecting untrusted content and enforce strict content policies. 8. Consider disabling or replacing the ZoomifyWP Free plugin if immediate patching is not feasible. 9. Use Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting script sources. 10. Backup website data regularly to enable recovery in case of compromise.