The Bootstrap Multi-language Responsive Portfolio plugin for WordPress contains a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Authenticated administrators can inject arbitrary scripts via the plugin's admin settings. The vulnerability affects multi-site installations or those with unfiltered_html disabled, allowing malicious scripts to execute in users' browsers when they visit injected pages. The CVSS 3.1 base score is 4.4 (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, high attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact. No patch or official remediation is currently available.

An authenticated attacker with administrator privileges can inject and store malicious scripts in the plugin's admin settings. These scripts execute in the context of users visiting the affected pages, potentially leading to limited confidentiality and integrity impacts such as session hijacking or unauthorized actions within the scope of the affected site. The vulnerability does not impact availability and requires high privileges and a multi-site or restricted unfiltered_html environment to be exploitable.

No official patch or fix is currently available for this vulnerability. Since exploitation requires administrator-level access, organizations should restrict administrative privileges to trusted users only. Consider disabling the Bootstrap Multi-language Responsive Portfolio plugin in multi-site or unfiltered_html-disabled environments until a vendor fix is released. Monitor the augustinfotech vendor advisories for updates regarding remediation. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.