This vulnerability arises from improper sanitization of user input in the Winning Portfolio plugin, allowing an attacker to inject malicious scripts that are stored and later rendered on web pages. The primary impact is the compromise of web‑client integrity: attackers can steal cookies, session tokens, or deface the site, potentially leading to credential theft, phishing, and full site takeover. The weakness is identified as CWE‑79, a classic stored XSS flaw with high risk if the application does not apply content filtering or output encoding.

The plugin is named Winning Portfolio from pressfore and all releases up to and including version 1.1 are vulnerable. Users of these versions have the stored‑XSS flaw available through any input mechanisms the plugin provides.

The CVSS score of 6.5 indicates medium‑to‑high severity, while the EPSS score of less than 1% suggests exploitation probability is currently low in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via any form entry that persists data, such as portfolio item titles or descriptions, and requires that the attacker can write to the database – which typically needs administrative or author privileges. Once injected, the malicious script will execute in the browsers of any visitor displaying the affected content.