CVE-2026-1187

Name of the Vulnerable Software and Affected Versions ZoomifyWP Free plugin versions prior to 1.2

Description The ZoomifyWP Free plugin for WordPress has a Stored Cross-Site Scripting issue. This is due to insufficient input sanitization and output escaping on user-supplied attributes. Specifically, the 'filename' parameter of the 'zoomify' shortcode is affected. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page.

Recommendations Update the ZoomifyWP Free plugin to version 1.2 or later.