CVE-2025-7046: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dotrex Portfolio for Elementor & Image Gallery | PowerFolio
The Portfolio for Elementor & Image Gallery | PowerFolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS Attributes of Plugin's widgets in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially fixed in version 3.2.0 and fully fixed in version 3.2.1
AI Analysis
Technical Summary
CVE-2025-7046 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'Portfolio for Elementor & Image Gallery | PowerFolio' developed by dotrex. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically via the Custom JS Attributes of the plugin's widgets. The flaw exists in all versions up to and including 3.2.0, where insufficient input sanitization and output escaping allow an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript code. This malicious script is then stored and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability was partially mitigated in version 3.2.0 and fully resolved in version 3.2.1. The CVSS v3.1 base score is 6.4 (medium severity), indicating a network exploitable vulnerability with low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacting confidentiality and integrity but not availability. No known exploits are reported in the wild as of the publication date (July 4, 2025).
Potential Impact
For European organizations using WordPress sites with the affected PowerFolio plugin, this vulnerability poses a significant risk. Attackers with Contributor-level access—often achievable through compromised accounts or weak internal controls—can inject malicious scripts that execute in the context of site visitors or administrators. This can lead to theft of authentication tokens, unauthorized actions on behalf of users, defacement, or distribution of malware. The impact is particularly critical for organizations relying on these plugins for public-facing portfolios or galleries, as it undermines user trust and can lead to data breaches or reputational damage. Given the widespread use of WordPress in Europe across sectors including SMEs, creative agencies, and educational institutions, the vulnerability could affect a broad range of targets. The medium severity score reflects the need for prompt remediation to prevent exploitation, especially since no user interaction is required for the attack to succeed once the malicious script is stored.
Mitigation Recommendations
European organizations should immediately verify the version of the 'Portfolio for Elementor & Image Gallery | PowerFolio' plugin installed on their WordPress sites and upgrade to version 3.2.1 or later, where the vulnerability is fully fixed. If immediate upgrade is not feasible, implement strict role-based access controls to limit Contributor-level permissions only to trusted users and monitor for unusual activity. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting Custom JS Attributes. Conduct regular security audits of plugin configurations and user-generated content to identify and sanitize any injected scripts. Additionally, enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-7046: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dotrex Portfolio for Elementor & Image Gallery | PowerFolio
Description
The Portfolio for Elementor & Image Gallery | PowerFolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS Attributes of Plugin's widgets in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially fixed in version 3.2.0 and fully fixed in version 3.2.1
AI-Powered Analysis
Technical Analysis
CVE-2025-7046 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'Portfolio for Elementor & Image Gallery | PowerFolio' developed by dotrex. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically via the Custom JS Attributes of the plugin's widgets. The flaw exists in all versions up to and including 3.2.0, where insufficient input sanitization and output escaping allow an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript code. This malicious script is then stored and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability was partially mitigated in version 3.2.0 and fully resolved in version 3.2.1. The CVSS v3.1 base score is 6.4 (medium severity), indicating a network exploitable vulnerability with low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacting confidentiality and integrity but not availability. No known exploits are reported in the wild as of the publication date (July 4, 2025).
Potential Impact
For European organizations using WordPress sites with the affected PowerFolio plugin, this vulnerability poses a significant risk. Attackers with Contributor-level access—often achievable through compromised accounts or weak internal controls—can inject malicious scripts that execute in the context of site visitors or administrators. This can lead to theft of authentication tokens, unauthorized actions on behalf of users, defacement, or distribution of malware. The impact is particularly critical for organizations relying on these plugins for public-facing portfolios or galleries, as it undermines user trust and can lead to data breaches or reputational damage. Given the widespread use of WordPress in Europe across sectors including SMEs, creative agencies, and educational institutions, the vulnerability could affect a broad range of targets. The medium severity score reflects the need for prompt remediation to prevent exploitation, especially since no user interaction is required for the attack to succeed once the malicious script is stored.
Mitigation Recommendations
European organizations should immediately verify the version of the 'Portfolio for Elementor & Image Gallery | PowerFolio' plugin installed on their WordPress sites and upgrade to version 3.2.1 or later, where the vulnerability is fully fixed. If immediate upgrade is not feasible, implement strict role-based access controls to limit Contributor-level permissions only to trusted users and monitor for unusual activity. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting Custom JS Attributes. Conduct regular security audits of plugin configurations and user-generated content to identify and sanitize any injected scripts. Additionally, enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-07-03T12:05:04.878Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68673b5e6f40f0eb729e5fde
Added to database: 7/4/2025, 2:24:30 AM
Last enriched: 7/4/2025, 2:41:13 AM
Last updated: 7/4/2025, 3:36:24 AM
Views: 3
Related Threats
CVE-2025-6673: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nikelschubert Easy restaurant menu manager
MediumCVE-2025-53600: CWE-346 Origin Validation Error in NAVER NAVER Whale browser
UnknownCVE-2025-53599: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NAVER NAVER Whale browser
UnknownCVE-2025-5372: Incorrect Calculation in Red Hat Red Hat Enterprise Linux 10
MediumCVE-2025-6944: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in undsgn Uncode Core
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.