Stored Cross-Site Scripting Vulnerability in Bootstrap Multi-language Responsive Portfolio Plugin for WordPress
CVE-2025-11753

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Bootstrap Multi-language Responsive Portfolio
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-11753?

The Bootstrap Multi-language Responsive Portfolio plugin for WordPress has a vulnerability that allows stored Cross-Site Scripting (XSS) through insecure admin settings in all versions up to and including 1.0. This issue arises from insufficient sanitization of user input and improper output escaping. As a result, an authenticated attacker with administrator-level permissions can successfully inject arbitrary web scripts into pages. The dangerous scripts will execute whenever an authorized user views the compromised page. This vulnerability is particularly concerning for installations in multi-site environments or setups where the 'unfiltered_html' capability has been disabled, increasing risks associated with content manipulation and user interaction.

Affected Version(s)

Bootstrap Multi-language Responsive Portfolio * <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/bootstrap-multi-language-re...

https://plugins.svn.wordpress.org/bootstrap-multi-languag...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Oct 14, 2025

Credit

Marco Gasi

JSON