The Ultra Portfolio WordPress plugin contains a reflected cross‑site scripting flaw that allows user‑supplied data to be injected into a page without proper sanitization. If an attacker succeeds, arbitrary JavaScript will execute in the victim’s browser, potentially stealing session cookies, hijacking user sessions, modifying page content, or redirecting users to malicious sites. The weakness is an instance of improper input neutralization (CWE‑79). The likely attack vector is inferred to be a crafted URL or form input that echoes user input back into the page. The impact is confined to the browser context of visitors who load the vulnerable page.

Any WordPress installation that has installed ThemePassion Ultra Portfolio plugin version 6.7 or earlier is affected, including all releases from the initial public version up through 6.7 inclusive. Hosts should verify the plugin version against the advisory to determine whether the site is vulnerable.

The CVSS base score of 7.1 signals a high severity risk. The EPSS score of less than 1 % indicates that exploitation is currently considered unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, because the flaw allows arbitrary client‑side code, successful exploitation could lead to data theft, session hijacking, or site defacement. The exploitation likely occurs when a visitor accesses a maliciously crafted link or submits an input field that is reflected in the page without sanitization. Given the low exploitation probability but potentially severe consequences, administrators should promptly address the issue.