The vulnerability is an improper neutralization of input during web page generation that permits reflected cross‑site scripting in the DPortfolio plugin. An attacker can craft URLs containing malicious script payloads that the plugin displays without sanitization. If the victim’s browser executes the injected script, the attacker could steal session cookies, tamper with page content, or exfiltrate data. Based on the description, it is inferred that the impact is confined to the victim’s browser context and does not involve server‑side compromise.

The affected product is the DPortfolio plugin for WordPress developed by dinamiko. All versions up to and including 2.0 are vulnerable; any installation using a pre‑2.1 release is at risk.

The CVSS score of 7.1 places this flaw in the high‑severity range. The EPSS score of less than 1% indicates a low probability of exploitation today, though the plugin accepts unsanitized parameters without authentication, so a crafted URL can trigger the XSS. The flaw is not listed in CISA KEV, indicating no known large‑scale exploitation. The likely attack vector is a reflected XSS triggered by a malicious link that a site visitor clicks or is redirected to, allowing the attacker to execute code in the victim’s browser.