The vulnerability is an improper neutralization of user input during web page generation, allowing a DOM‑based cross‑site scripting (XSS) attack. An attacker can inject malicious JavaScript through crafted input, potentially hijacking user sessions, compromising site integrity, or delivering malware. The flaw is identified as CWE‑79, indicating a weakness in input validation and output encoding. The reported CVSS score of 5.9 reflects a moderate severity, indicating that while exploitation is feasible, it does not automatically provide remote code execution or system compromise.

The issue affects the "bestweblayout Portfolio" WordPress plugin versions from the earliest available release through 2.58. Any installation of the Portfolio plugin at or below version 2.58 is vulnerable.

With a CVSS of 5.9 and an EPSS of less than 1 %, the likelihood of public exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability is a DOM‑based XSS, so the likely attack vector involves an attacker supplying malicious payloads via plugin input fields, URL parameters, or other user‑controlled data that is echoed without proper escaping. Successful exploitation would allow the attacker to execute arbitrary scripts in the context of site visitors. The low EPSS indicates that, so far, no widespread exploitation is known.