CVE-2025-7046 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'Portfolio for Elementor & Image Gallery | PowerFolio' developed by dotrex. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically via the Custom JS Attributes of the plugin's widgets. The flaw exists in all versions up to and including 3.2.0, where insufficient input sanitization and output escaping allow an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript code. This malicious script is then stored and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability was partially mitigated in version 3.2.0 and fully resolved in version 3.2.1. The CVSS v3.1 base score is 6.4 (medium severity), indicating a network exploitable vulnerability with low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacting confidentiality and integrity but not availability. No known exploits are reported in the wild as of the publication date (July 4, 2025).

For European organizations using WordPress sites with the affected PowerFolio plugin, this vulnerability poses a significant risk. Attackers with Contributor-level access—often achievable through compromised accounts or weak internal controls—can inject malicious scripts that execute in the context of site visitors or administrators. This can lead to theft of authentication tokens, unauthorized actions on behalf of users, defacement, or distribution of malware. The impact is particularly critical for organizations relying on these plugins for public-facing portfolios or galleries, as it undermines user trust and can lead to data breaches or reputational damage. Given the widespread use of WordPress in Europe across sectors including SMEs, creative agencies, and educational institutions, the vulnerability could affect a broad range of targets. The medium severity score reflects the need for prompt remediation to prevent exploitation, especially since no user interaction is required for the attack to succeed once the malicious script is stored.

European organizations should immediately verify the version of the 'Portfolio for Elementor & Image Gallery | PowerFolio' plugin installed on their WordPress sites and upgrade to version 3.2.1 or later, where the vulnerability is fully fixed. If immediate upgrade is not feasible, implement strict role-based access controls to limit Contributor-level permissions only to trusted users and monitor for unusual activity. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting Custom JS Attributes. Conduct regular security audits of plugin configurations and user-generated content to identify and sanitize any injected scripts. Additionally, enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.