Stored Cross-Site Scripting in WordPress Portfolio Builder Plugin
CVE-2025-1757

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: WordPress Portfolio Builder – Portfolio Gallery
Vendor: CVE Published:; 28 February 2025

What is CVE-2025-1757?

The Portfolio Builder – Portfolio Gallery plugin for WordPress is exploitable through Stored Cross-Site Scripting vulnerabilities found in its 'pfhub_portfolio' and 'pfhub_portfolio_portfolio' shortcodes. This issue arises from inadequate input sanitization and output escaping of user-supplied attributes. It allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts, which execute whenever a user accesses the affected pages. It is essential for users to upgrade to a patched version to mitigate this risk.

Affected Version(s)

WordPress Portfolio Builder – Portfolio Gallery * <= 1.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/uber-grid/trun...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 28, 2025
Vulnerability Reserved
Feb 27, 2025

Credit

Bassem Essam