Improper neutralization of input during web page generation allows a malicious user to inject JavaScript into pages served by the Penci Portfolio plugin. The resulting DOM-based Cross-Site Scripting can execute arbitrary script in the context of any visitor, enabling session hijacking, defacement, or the delivery of phishing content. This weakness directly exposes user browsers to code that can read or modify page data, potentially compromising both user privacy and site integrity.

The vulnerability affects all installations of the Penci Portfolio plugin released by PenciDesign up to and including version 3.5. The description indicates the issue exists from unspecified earlier releases through version 3.5, so every site running any of those versions is potentially exploitable. The vendor database lists the plugin under PenciDesign: Penci Portfolio, with an unknown base version range but the critical cutoff is 3.5.

With a CVSS base score of 6.5 the flaw carries moderate severity, and the EPSS score of less than 1% indicates that using publicly available inputs is unlikely to lead to widespread automated exploitation, especially since it is a client-side vulnerability that requires a target page to be rendered. The flaw is not listed in CISA’s KEV catalog. Exploitation generally requires an attacker to cause a user to load a page that includes the vulnerable plugin, then craft a malicious link or payload that injects script. No elevated privileges or network access are needed beyond normal browser interaction.