CVE-2026-49069 is a reflected cross-site scripting (XSS) vulnerability in the WPZOOM Portfolio plugin affecting versions up to 1.4.21. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. This flaw allows an attacker to inject malicious scripts that execute in the context of users interacting with the affected web pages. The CVSS 3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. There is no vendor advisory or patch available at this time, and no known exploits in the wild have been reported.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of a user's browser session, potentially leading to information disclosure, session hijacking, or other impacts on confidentiality, integrity, and availability as indicated by the CVSS vector. The attack requires user interaction and can be performed remotely without authentication.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider applying web application firewall (WAF) rules to detect and block reflected XSS attempts and exercise caution with untrusted input. Monitor vendor channels for updates and apply patches promptly once available.