Description
Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery is previewed, affecting all users viewing the page.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the title field of the Filterable Portfolio Gallery plugin. When an authenticated user enters a malicious payload—such as a JavaScript‑enabled image tag—into the title, the code is stored in the database and later executed when the gallery is previewed. This flaw is a classic example of CWE‑79, allowing attackers to inject arbitrary client‑side scripts that run in the browsers of all visitors to the affected galleries.

Affected Systems

WordPress sites that have the Filterable Portfolio Gallery plugin 1.0 installed are impacted. The flaw exists in the plugin’s title field handling and requires the installer to be an authenticated user with permission to update the gallery items. Any WordPress installation using this plugin version is susceptible.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity risk. An attacker must have authenticated access to the admin interface, but once the payload is stored it impacts every visitor viewing the gallery, enabling code execution in their browsers. The EPSS score is not available and the vulnerability is not listed in KEV, suggesting that while the flaw is known, there is no current evidence of widespread exploitation. The risk is elevated by the broad audience of gallery pages and the potential for data theft or session hijacking through the injected code.

Generated by OpenCVE AI on May 10, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Filterable Portfolio Gallery plugin to the latest version that addresses the XSS issue
  • If an update cannot be applied, disable or uninstall the plugin to eliminate the vulnerable code
  • Review and sanitize all user‑provided title fields, ensuring that output is properly escaped or filtered, and consider deploying a security plugin that enforces strict input validation

Generated by OpenCVE AI on May 10, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Filterable-portfolio
Filterable-portfolio filterable Portfolio Gallery
Wordpress
Wordpress wordpress
Vendors & Products Filterable-portfolio
Filterable-portfolio filterable Portfolio Gallery
Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery is previewed, affecting all users viewing the page.
Title WordPress Plugin Filterable Portfolio Gallery 1.0 Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Filterable-portfolio Filterable Portfolio Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T15:15:18.819Z

Reserved: 2026-02-01T11:24:18.716Z

Link: CVE-2021-47929

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:29.017

Modified: 2026-05-10T13:16:29.017

Link: CVE-2021-47929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:33Z

Weaknesses