Portfolio for Elementor & Image Gallery

CVE Details

Basic Information

Title	Portfolio for Elementor & Image Gallery \| PowerFolio <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS
Type	cve
Published	2025-07-04T01:44:00.580Z
Modified	2025-07-04T01:44:00.580Z

Product Information

Vendor	dotrex
Product	Portfolio for Elementor & Image Gallery \| PowerFolio
Version	*

CVSS Information

Base Score	6.4 (MEDIUM)
Attack Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Analysis

AI Description	This vulnerability allows authenticated attackers with Contributor-level access to inject arbitrary web scripts into pages using the Custom JS Attributes of the plugin’s widgets. This is a Stored Cross-Site Scripting (XSS) issue due to insufficient input sanitization and output escaping. It was partially fixed in version 3.2.0 and fully resolved in version 3.2.1.
AI Severity	Medium
AI Vendor	WordPress Community
AI Product	Portfolio for Elementor & Image Gallery \| PowerFolio
AI Version	<= 3.2.0
AI Score	6.4

Affected Products

dotrex Portfolio for Elementor & Image Gallery | PowerFolio *

Additional Information

CWE List	CWE-79
Source	Wordfence

Description

The Portfolio for Elementor & Image Gallery | PowerFolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS Attributes of Plugin’s widgets in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially fixed in version 3.2.0 and fully fixed in version 3.2.1.

References

View Full CVE Details

Portfolio for Elementor & Image Gallery | PowerFolio <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS