Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio designthemes-portfolio allows Reflected XSS.This issue affects DesignThemes Portfolio: from n/a through <= 1.3.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (XSS)
Action: Patch plugin
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious scripts that are reflected back to the victim’s browser when certain input fields in the DesignThemes Portfolio plugin are not properly sanitized. This can lead to session hijacking, defacement, or arbitrary code execution in the context of the affected site.

Affected Systems

WordPress sites running the DesignThemes Portfolio plugin version 1.3 or earlier. The product is identified by the designthemes:DesignThemes Portfolio vendor‑product pair. No specific operating‑system or WordPress core versions are mentioned.

Risk and Exploitability

The CVSS score of 7.1 rates the vulnerability as high severity. The EPSS score is below 1 %, indicating that the exploitation probability is currently low. The vulnerability is not listed in the CISA KEV catalog. It is likely to be exploited via a crafted URL or form input that the plugin echoes back to the user; the attacker would need to entice a victim to visit the reflected link. No authentication or elevated privileges are required, so the threat is wide.

Generated by OpenCVE AI on April 15, 2026 at 23:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the DesignThemes Portfolio plugin to a version newer than 1.3, which eliminates the reflected XSS flaw.
  • Remove or quarantine any instances of the old plugin from the site to prevent accidental use.
  • Implement input validation or sanitization for any custom fields that interact with this plugin until an official fix is available.
  • Check for additional plugin updates and apply all security patches promptly.

Generated by OpenCVE AI on April 15, 2026 at 23:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Designthemes
Designthemes designthemes Portfolio
Wordpress
Wordpress wordpress
Vendors & Products Designthemes
Designthemes designthemes Portfolio
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio designthemes-portfolio allows Reflected XSS.This issue affects DesignThemes Portfolio: from n/a through <= 1.3.
Title WordPress DesignThemes Portfolio plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Designthemes Designthemes Portfolio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:14.680Z

Reserved: 2026-02-19T09:51:58.587Z

Link: CVE-2026-27385

cve-icon Vulnrichment

Updated: 2026-03-06T18:50:38.795Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:27.977

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-27385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:45:05Z

Weaknesses