CVE-2025-1757 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the WordPress Portfolio Builder – Portfolio Gallery plugin. This vulnerability affects all versions up to and including 1.1.7. The root cause is insufficient sanitization and escaping of user-supplied attributes in the plugin's 'pfhub_portfolio' and 'pfhub_portfolio_portfolio' shortcodes. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into portfolio pages. When other users access these pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of victims, or deface the website. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks of inadequate input validation in WordPress plugins, especially those that allow content injection via shortcodes.

This vulnerability can lead to unauthorized script execution in the context of the affected website, compromising the confidentiality and integrity of user sessions and data. Attackers with contributor-level access can leverage this flaw to escalate privileges by hijacking administrator sessions or injecting malicious content that misleads users or damages the site’s reputation. Although availability is not directly impacted, the injected scripts could be used to deface websites or redirect users to malicious domains, indirectly affecting service trustworthiness. Organizations relying on the Portfolio Builder plugin face risks of data theft, unauthorized actions, and reputational damage. Given WordPress's widespread use, especially among small and medium enterprises, the vulnerability could be exploited in targeted attacks or automated campaigns once exploit code becomes available. The requirement for authenticated access limits exposure but does not eliminate risk, as contributor accounts are common in collaborative environments.

Organizations should immediately audit their WordPress installations to identify the use of the Portfolio Builder – Portfolio Gallery plugin and verify the version in use. Until an official patch is released, administrators should restrict contributor-level permissions to trusted users only and consider temporarily disabling or uninstalling the plugin if feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute inputs can provide interim protection. Site owners should also enforce strict input validation and output encoding practices for any custom shortcode usage. Monitoring logs for unusual contributor activity and scanning for injected scripts on portfolio pages can help detect exploitation attempts. Once a patch becomes available, prompt application is critical. Additionally, educating contributors about the risks of injecting untrusted content and maintaining least privilege principles will reduce attack surface.