CVE-2025-49420

Vulnerability

Overview

The WordPress Ultra Portfolio plugin, versions through 6.7, contains a Reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This enables an attacker to inject arbitrary HTML and JavaScript into web pages served by the vulnerable application [1].

Exploitation

Details

The vulnerability is classified as reflected XSS, meaning the malicious payload is embedded in a crafted URL or similar request and reflected back in the server's response. Exploitation requires user interaction — a privileged user (such as an administrator) must click a malicious link or submit a crafted form. The attack does not require authentication from the attacker but depends on a victim with certain privileges performing the action [1].

Impact

A successful attack allows the threat actor to inject scripts, redirects, advertisements, or other HTML payloads into the site. These scripts execute in the context of the victim's browser when visiting the affected page, potentially leading to session hijacking, defacement, or further compromise of the WordPress installation [1].

Mitigation

Status

The vulnerability is considered moderately dangerous and is expected to be exploited in mass campaigns against thousands of sites. The vendor has not yet released an official patch; however, Patchstack has provided a mitigation rule to block attacks until an update can be applied. Immediate action is advised — update the plugin to a safe version when available, or contact your hosting provider for assistance [1].