CVE-2025-7046 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Portfolio for Elementor & Image Gallery | PowerFolio' developed by dotrex. This vulnerability arises from improper neutralization of input during web page generation, specifically within the Custom JS Attributes of the plugin's widgets. Versions up to and including 3.2.0 are vulnerable due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. These malicious scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or further exploitation of user browsers. The vulnerability was partially mitigated in version 3.2.0 and fully resolved in version 3.2.1. The CVSS v3.1 base score is 6.4 (medium severity), reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-79, indicating improper input neutralization leading to XSS.

For European organizations using WordPress sites with the affected PowerFolio plugin, this vulnerability poses a significant risk. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of users. This can lead to data breaches, reputational damage, and loss of user trust. Since Contributor-level access is required, the threat is more relevant in environments with multiple content editors or where account compromise is possible. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other parts of the website or connected systems. Given the widespread use of WordPress in Europe for business and governmental websites, exploitation could disrupt services or leak sensitive data. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

European organizations should immediately verify the version of the PowerFolio plugin installed on their WordPress sites and upgrade to version 3.2.1 or later, where the vulnerability is fully fixed. If upgrading is not immediately feasible, restrict Contributor-level access to trusted users only and monitor user activities closely. Implement Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin. Conduct regular security audits and scanning for malicious scripts injected into pages. Additionally, enforce Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Educate content editors about the risks of injecting untrusted JavaScript and enforce strict input validation policies. Finally, maintain up-to-date backups to enable quick restoration if compromise occurs.