The Behance Portfolio Manager plugin for WordPress contains a stored cross‑site scripting flaw caused by improper neutralization of user input during page generation. An attacker who can inject content into the plugin’s storage—such as by editing a portfolio entry—can execute arbitrary JavaScript whenever a user views the affected page. This can result in credential theft, session hijacking, defacement, or additional malicious activity within the site. The weakness matches the classic stored XSS category (CWE‑79). The likely attack vector requires the attacker to first gain the ability to write into the plugin’s content store, typically via an authenticated WordPress account with edit permissions for portfolio items.

Vendors: eleopard. Product: Behance Portfolio Manager (portfolio‑manager‑powered‑by‑behance). Versions impacted include all releases up to and including 1.7.5, the current highest version at the time of disclosure.

The CVSS base score of 5.9 indicates a moderate risk level, mainly affecting the integrity and security of users’ browsers. The EPSS score is below 1%, implying very low exploitation frequency in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation typically requires the attacker to have write access to the plugin’s content storage; once a malicious script is stored, every visitor to that content becomes a compromise target. Although no widespread public attacks have been reported, the potential impact remains significant for any site that allows untrusted users to edit portfolio entries.