CVE-2025-1757
📋 TL;DR
The WordPress Portfolio Builder plugin has a stored XSS vulnerability in all versions up to 1.1.7. Authenticated attackers with contributor-level access or higher can inject malicious scripts via shortcode attributes, which execute when users view affected pages. This affects all WordPress sites using the vulnerable plugin version.
💻 Affected Systems
- WordPress Portfolio Builder – Portfolio Gallery plugin
📦 What is this software?
Portfoliohub by Portfoliohub
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies or display phishing content to visitors.
If Mitigated
With proper user access controls and content security policies, impact is limited to isolated script execution without data compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once attacker has contributor credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3208749%40uber-grid&new=3208749%40uber-grid&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Portfolio Builder – Portfolio Gallery'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.1.8+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable shortcodes
allRemove or disable the 'pfhub_portfolio' and 'pfhub_portfolio_portfolio' shortcodes from theme files and posts
Edit WordPress theme files to remove shortcode usage
Search posts/pages for shortcodes and remove them
Restrict user roles
allLimit contributor-level access to trusted users only
Review and reduce number of users with contributor role or higher
🧯 If You Can't Patch
- Disable the Portfolio Builder plugin entirely until patched
- Implement Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Portfolio Builder – Portfolio Gallery' version 1.1.7 or lowerCheck Version:
wp plugin list --name='portfolio-builder' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 1.1.8 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with shortcode parameters
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Unexpected script tags in page responses containing portfolio shortcodes
SIEM Query:
source="wordpress.log" AND ("pfhub_portfolio" OR "pfhub_portfolio_portfolio") AND ("script" OR "onclick" OR "javascript:")