The vulnerability is an improper neutralization of input during web page generation, allowing a stored XSS flaw in the Opal Portfolio plugin. An attacker can inject malicious JavaScript that persists in the database and executes whenever the affected content is displayed, potentially compromising user credentials, defacing the site, or redirecting visitors. Based on the description, the injection occurs through user‑supplied data that the plugin stores without proper sanitization. The primary impact is cross‑site scripting that could affect the confidentiality and integrity of user sessions.

The flaw affects the wpopal Opal Portfolio (opal‑portfolios) plugin for WordPress on all builds from the earliest release through version 1.0.4. The plugin is typically used to display portfolios and media galleries, and any site running a vulnerable version is susceptible.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation at present, and the flaw is not listed in the CISA KEV catalog. Nonetheless, the attack vector is inferred to be a classic stored XSS that may be triggered by a user creating or editing a portfolio entry or taxonomy. Exploitation would require that the attacker can supply or modify input fields that are rendered later on by the plugin. Given that the flaw allows persistent code execution, administrators should treat it as a serious risk if the site exposes the plugin to untrusted users.