The vulnerability arises from improper neutralization of user-provided input when rendering portfolio pages in the Easy Portfolio plugin for WordPress. This stored Cross‑Site Scripting flaw allows an attacker to persist malicious JavaScript that executes in the browsers of anyone who views a compromised portfolio entry, potentially leading to session hijacking, defacement, or the delivery of additional malware. The weakness corresponds to CWE‑79 and impacts confidentiality, integrity, and user experience.

WordPress sites running the Easy Portfolio plugin version 1.3 or earlier are affected. The vulnerability applies to all WordPress installations that have the plugin active and allow users with content‑creation privileges to submit or edit portfolio items. No specific WordPress core version is stated, so any WordPress site that includes the specified plugin version is at risk.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% implies the likelihood of widespread exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known high‑profile attacks have been documented yet. Exploitation requires the attacker to inject malicious input into a portfolio entry, meaning that some form of authenticated access with rights to create or edit content is likely required. Once injected, the malicious code would run automatically for all visitors, providing a convenient vector for further attacks.