CVE-2025-7046 identifies a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Portfolio for Elementor & Image Gallery | PowerFolio developed by dotrex. The vulnerability exists due to improper neutralization of input (CWE-79) during web page generation, specifically in the handling of Custom JS Attributes within the plugin's widgets. Versions up to and including 3.2.0 fail to adequately sanitize and escape user-supplied input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions. The vulnerability is exploitable remotely over the network without user interaction but requires authenticated access with low privileges, making it moderately accessible to attackers. The issue was partially addressed in version 3.2.0 and fully fixed in 3.2.1. The CVSS v3.1 base score of 6.4 reflects a medium severity, with attack vector network, low attack complexity, privileges required, no user interaction, and a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using the affected plugin versions.

The impact of CVE-2025-7046 on organizations worldwide can be significant, especially for those relying on the affected WordPress plugin to manage portfolios or image galleries. Successful exploitation allows attackers with relatively low privileges to inject persistent malicious scripts, which execute in the browsers of site visitors and administrators. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, phishing, or distribution of malware. The compromise of administrator sessions could result in full site takeover. Since WordPress powers a large portion of websites globally, and Elementor is a widely used page builder, the affected plugin's market penetration increases the potential attack surface. Organizations with Contributor-level users, such as content creators or editors, are particularly at risk. The vulnerability does not directly impact availability but threatens confidentiality and integrity of user data and site content. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits after disclosure.

To mitigate CVE-2025-7046, organizations should immediately upgrade the Portfolio for Elementor & Image Gallery | PowerFolio plugin to version 3.2.1 or later, where the vulnerability is fully fixed. Until the upgrade is applied, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious script injection attempts targeting the plugin's widget inputs. Regularly audit and sanitize existing content for injected scripts, especially in Custom JS Attributes fields. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Monitor logs for unusual activity or changes in plugin-related content. Educate content contributors about the risks of injecting arbitrary scripts and enforce strict input validation policies. Finally, maintain an up-to-date inventory of WordPress plugins and monitor vulnerability disclosures to respond promptly to new threats.