CVE-2025-1757

Name of the Vulnerable Software and Affected Versions The WordPress Portfolio Builder – Portfolio Gallery plugin versions up to, and including, 1.1.7

Description The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'pfhub portfolio' and 'pfhub portfolio portfolio' shortcodes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page.

Recommendations For The WordPress Portfolio Builder – Portfolio Gallery plugin version 1.1.7 and earlier, update to a version later than 1.1.7 to resolve the issue. As a temporary workaround, consider restricting access to the 'pfhub portfolio' and 'pfhub portfolio portfolio' shortcodes to prevent arbitrary web script injection.