CVE-2025-29010: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in eleopard Behance Portfolio Manager WordPress plugin affecting versions through 1.7.4. The vulnerability was discovered by researcher Nguyen Tran Tuan Dung (domiee13) and was disclosed on June 5, 2025. The vulnerability received the identifier CVE-2025-29010 and allows exploiting incorrectly configured access control security levels (NVD, Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (MEDIUM). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating that it requires low privileges and no user interaction to exploit, with potential impact primarily on integrity (NVD).

The vulnerability allows an unprivileged user to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The impact is considered low severity but could potentially lead to unauthorized access to privileged functions (Patchstack).

No official fix is available as the software appears to be abandoned, having not received updates for over a year. The recommended mitigation is to remove and replace the software with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).