CVE-2025-59586: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in PenciDesign's Penci Portfolio WordPress plugin, identified as CVE-2025-59586. The vulnerability affects versions up to and including 3.5 of the plugin and was disclosed on September 22, 2025. The security flaw was discovered by researcher João Pedro S Alcântara (Kinorth) and allows for DOM-Based XSS attacks (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 score of 6.5 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The security flaw stems from insufficient input sanitization and output escaping in the plugin's code, which allows for stored cross-site scripting attacks (Rapid7).

When exploited, this vulnerability could allow malicious actors to inject harmful scripts, including redirects and unwanted advertisements, into the affected website. These injected scripts would execute when visitors access the compromised pages. The attack requires an authenticated user with contributor-level access or higher to implement (Patchstack).

The vulnerability has been patched in version 3.6 of the Penci Portfolio plugin. Website administrators are advised to update to version 3.6 or later to remediate this security issue. For users unable to update immediately, it's recommended to restrict contributor access to trusted users only (Patchstack).