CVE-2025-58245

The Portfolio plugin for WordPress, versions 2.58 and earlier, contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary script execution in the context of a victim's browser session.

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. No authentication is needed to trigger the vulnerability, making it accessible to unauthenticated attackers. The attack vector is network-based with low complexity, as reflected in the CVSS v3 base score of 5.9 [1].

Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, which execute when other users visit the affected site [1]. This can lead to data theft, session hijacking, or defacement, and the vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites [1].

As of the publication date, users are advised to update the plugin to a patched version if available. If an update is not possible, immediate action such as contacting a hosting provider or web developer is recommended [1]. No workaround details are provided in the reference.