The Social Feed Gallery Portfolio plugin contains insufficient input validation for the 'id' parameter in its [igp-wp] shortcode, allowing malicious strings to be stored in the database. When a user views a page that renders the shortcode, the unescaped payload is executed by the browser, giving the injected attacker the same context as the page visitor. This can lead to session hijacking, data theft, or defacement of the site, with the attack impact spanning confidentiality, integrity, and availability. The flaw is reachable only by users who can authenticate with Contributor level access or higher; such users can modify gallery entries or the shortcode content, thus enabling the injection. Because the vulnerability resides in stored user input, the attacker can persist malicious code across sessions and affect all users who view the compromised page. The risk is moderate, with a CVSS score of 6.4, and the EPSS score indicates a very low likelihood of exploitation. The flaw has not yet appeared in the CISA KEV catalog.

The affected product is the Social Feed Gallery Portfolio plugin for WordPress, maintained by wpdiscover. Versions up to and including 1.3, including all earlier releases, are vulnerable. The vulnerability specifically affects the [igp-wp] shortcode when the 'id' attribute is present.

The vulnerability is limited to authenticated users with Contributor level access or higher, meaning an attacker must first obtain valid credentials that grant such permissions. Once the malicious payload is stored via the 'id' attribute, any visitor to the page rendering the shortcode receives the script in their browser, enabling session hijacking, information theft, or defacement. The CVSS base score of 6.4 indicates moderate severity, while the EPSS score of less than 1% reflects a low probability of exploitation at present. The vulnerability is not yet catalogued in the CISA KEV, so no active exploits have been reported as of this analysis.