The Themify Portfolio Post plugin for WordPress versions up to 1.3.0 contains a Stored Cross-site Scripting (XSS) vulnerability due to improper input neutralization during web page generation. This allows an attacker to inject malicious scripts that persist in the application and execute in the context of users' browsers, potentially leading to data theft, session hijacking, or other impacts. The vulnerability has a CVSS 3.1 base score of 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No official patch or mitigation guidance is currently available, and no known exploits have been reported.

Successful exploitation of this Stored XSS vulnerability can lead to execution of arbitrary scripts in the context of users visiting affected web pages. This may result in theft of sensitive information such as cookies or session tokens, modification of displayed content, or other malicious actions impacting confidentiality, integrity, and availability of user data and application functionality. The CVSS score of 7.1 reflects a high impact with network-based attack and low complexity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the affected Themify Portfolio Post plugin versions or applying any available temporary mitigations recommended by the vendor. Avoid processing untrusted input through the plugin and monitor for updates from Themifyme.