Skip to main content

CVE-2025-59137

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 05:16 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.

AnalysisAI

Stored XSS via CSRF in eleopard Behance Portfolio Manager WordPress plugin versions up to 1.7.5 allows authenticated attackers to inject malicious scripts through cross-site request forgery mechanisms, potentially compromising site administrators and visitors. The EPSS score of 0.02% indicates low exploitation probability, though the vulnerability type suggests a chainable attack vector when combined with social engineering. No CVSS score was assigned, limiting quantification of attack complexity and privilege requirements.

Technical ContextAI

This vulnerability combines two distinct vulnerability classes: CWE-352 (Cross-Site Request Forgery) and Stored XSS. The root cause is inadequate CSRF token validation in the eleopard Behance Portfolio Manager plugin, a WordPress plugin that integrates Behance portfolio data into WordPress sites. The vulnerability appears to exist in form handlers or AJAX endpoints that accept portfolio-related data without proper nonce verification or token validation. Because the XSS payload is stored (rather than reflected), it persists in the WordPress database, affecting all subsequent site visitors who view the compromised portfolio content. The Patchstack report confirms this affects the portfolio-manager-powered-by-behance plugin specifically.

Affected ProductsAI

eleopard Behance Portfolio Manager (portfolio-manager-powered-by-behance) versions from an unspecified baseline through version 1.7.5 are affected. This is a WordPress plugin distributed through the official WordPress.org plugin repository. The plugin integrates Behance portfolio functionality into WordPress sites, and all installations running version 1.7.5 or earlier require remediation. The CPE for this plugin would typically be cpe:2.3:a:eleopard:portfolio-manager-powered-by-behance:*:*:*:*:*:wordpress:*:*; however, no specific CPE was provided in the source data. Affected users can identify their installation version via the WordPress Plugins admin panel.

RemediationAI

Update eleopard Behance Portfolio Manager to a version newer than 1.7.5 as released by the vendor. Review Patchstack's vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for the recommended patched version and installation instructions. If automatic updates are not enabled, manually update via WordPress Admin > Plugins > Portfolio Manager Powered by Behance > Update. Additionally, administrators should audit recent portfolio updates in the plugin settings to verify no stored XSS payloads were injected during the window of vulnerability exposure, particularly if the site has been accessed by untrusted users. Consider implementing a Web Application Firewall (WAF) rule to block requests lacking proper WordPress nonces as a temporary mitigation while updates are staged.

Share

CVE-2025-59137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy