Stored Cross-Site Scripting in WordPress Portfolio Builder Plugin
CVE-2025-1757
5.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 28 February 2025
What is CVE-2025-1757?
The Portfolio Builder – Portfolio Gallery plugin for WordPress is exploitable through Stored Cross-Site Scripting vulnerabilities found in its 'pfhub_portfolio' and 'pfhub_portfolio_portfolio' shortcodes. This issue arises from inadequate input sanitization and output escaping of user-supplied attributes. It allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts, which execute whenever a user accesses the affected pages. It is essential for users to upgrade to a patched version to mitigate this risk.
Affected Version(s)
WordPress Portfolio Builder – Portfolio Gallery * <= 1.1.7