CVE-2021-25090

Name of the Vulnerable Software and Affected Versions The Portfolio Gallery, Product Catalog WordPress plugin versions prior to 2.1.0

Description The issue concerns a lack of authorization and CSRF checks in various functions related to AJAX actions, allowing any authenticated users to call them. This also leads to a potential for Cross-Site Scripting attacks on pages where a Portfolio is embedded, due to insufficient sanitization and escaping.

Recommendations For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to AJAX actions related to the Portfolio Gallery plugin to minimize the risk of exploitation. Avoid using the plugin's vulnerable functions until the issue is resolved.