Description
The Bootstrap Multi-language Responsive Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-11-04
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Bootstrap Multi‑language Responsive Portfolio plugin contains a stored cross‑site scripting flaw that allows attackers who are authenticated with administrator‑level permissions or higher to insert arbitrary web scripts through the plugin’s admin settings. When a page that contains the injected content is viewed by a user, the script executes in the victim’s browser, potentially allowing the attacker to manipulate page content and to read or alter data in the victim’s context.

Affected Systems

All releases of the Bootstrap Multi‑language Responsive Portfolio plugin up to and including version 1.0 are affected. The vulnerability only applies to WordPress installations that are configured as multisite and that have the unfiltered_html capability disabled. Affected systems are those using the August Infotech plugin in these configurations.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.4, indicating moderate severity, and an EPSS score of less than 1 %, representing a low but non‑zero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. An attacker must have authenticated administrator access to the plugin’s settings to exploit the issue, making the attack path local to the WordPress installation and typically a moderate‑risk scenario with low exploitation probability.

Generated by OpenCVE AI on April 22, 2026 at 00:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bootstrap Multi‑language Responsive Portfolio plugin to a version that contains the XSS fix if such a version is available.
  • If no patch exists, disable or uninstall the plugin to remove the vulnerable code path.
  • After disabling or updating, review existing portfolio pages and settings for any malicious content and remove it if present.
  • Restrict the unfiltered_html capability or enable proper sanitization to reduce the risk of future XSS injections.

Generated by OpenCVE AI on April 22, 2026 at 00:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Bootstrap Multi-language Responsive Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Multi-language Responsive Portfolio WordPress <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:38.071Z

Reserved: 2025-10-14T16:26:03.705Z

Link: CVE-2025-11753

cve-icon Vulnrichment

Updated: 2025-11-04T14:56:53.722Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:16:02.263

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses