CVE-2025-7046

Name of the Vulnerable Software and Affected Versions: PowerFolio plugin for WordPress versions prior to 3.2.1

Description: The issue is related to Stored Cross-Site Scripting via the Custom JS Attributes of the plugin's widgets due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations: For versions prior to 3.2.1, update to version 3.2.1 to fully resolve the issue. As a temporary workaround, consider restricting access to the Custom JS Attributes of the plugin's widgets to minimize the risk of exploitation.