CVE-2025-59135
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.
Analysis
Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.
Technical Context
The Behance Portfolio Manager plugin (CWE-79: Improper Neutralization of Input During Web Page Generation) fails to adequately sanitize user-supplied input before rendering it in the HTML output of portfolio pages. This classic stored XSS vulnerability typically arises when the plugin processes portfolio metadata, descriptions, or media attributes from the Behance API or user uploads without applying proper output encoding or content security policies. The vulnerability affects the WordPress plugin infrastructure itself rather than the Behance API, meaning the flaw exists in how the plugin filters and displays third-party content within the WordPress environment.
Affected Products
eleopard Behance Portfolio Manager for WordPress (portfolio-manager-powered-by-behance plugin) is affected in all versions from the initial release through version 1.7.5. The plugin identifier is 'portfolio-manager-powered-by-behance' on the WordPress.org plugin directory. Users running version 1.7.5 or earlier are vulnerable to stored XSS attacks via portfolio content fields.
Remediation
Update the Behance Portfolio Manager plugin to version 1.7.6 or later immediately, which contains fixes for the stored XSS vulnerability. In WordPress, navigate to Plugins > Installed Plugins, locate 'Behance Portfolio Manager', and click 'Update Now'. Alternatively, manually download the patched version from the WordPress plugin repository at https://wordpress.org/plugins/portfolio-manager-powered-by-behance/ and upload it to your wp-content/plugins directory. Until patching is complete, restrict portfolio editing permissions to trusted administrators only and review portfolio content for any suspicious script injections. The vulnerability report is documented at https://patchstack.com/database/Wordpress/Plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve per the Patchstack database.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today