Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2.
Published: 2025-12-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

An attacker can inject malicious script that is stored and then served to any user who views the vulnerable content. The script runs in the victim’s browser context, potentially exposing session cookies, performing phishing, or loading additional malware. The vulnerability is a classic stored XSS (CWE‑79).

Affected Systems

ThemeNectar Salient Portfolio theme for WordPress, versions from unversioned releases up to and including 1.8.2 are affected. Earlier versions lack explicit numbering in the CNA data.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity. An EPSS score of under 1% shows that, at present, the exploitation probability is low but not zero. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker who can create or edit portfolio items, entering a payload that is stored in the database and later rendered in a web page. The exposure is limited to browsers rendering the malicious content, but the effect can reach many users who view the affected portfolio items.

Generated by OpenCVE AI on April 27, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Salient Portfolio to version 1.8.3 or later, which resolves the XSS issue.
  • If the upgrade is not possible, temporarily deactivate or remove the Salient Portfolio theme to eliminate the vulnerability.
  • Ensure that only trusted users have permissions to create or edit portfolio items, limiting the ability to inject malicious payloads.
  • Implement a Content Security Policy that blocks inline scripts and restricts script sources, providing a defense in depth measure.

Generated by OpenCVE AI on April 27, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Themenectar
Themenectar salient Core
Wordpress
Wordpress wordpress
Vendors & Products Themenectar
Themenectar salient Core
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2.
Title WordPress Salient Portfolio theme <= 1.8.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themenectar Salient Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:58:30.795Z

Reserved: 2025-12-15T10:01:24.073Z

Link: CVE-2025-68078

cve-icon Vulnrichment

Updated: 2025-12-17T14:54:48.396Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:02.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:30:14Z

Weaknesses