CVE-2025-7046: 
WordPress vulnerability analysis and mitigation

The Portfolio for Elementor & Image Gallery | PowerFolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2025-7046) via the Custom JS Attributes of Plugin's widgets in versions up to and including 3.2.0. The vulnerability was discovered on July 3, 2025, and was fully patched in version 3.2.1, with a partial fix implemented in version 3.2.0 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the Custom JS Attributes of Plugin's widgets. This security flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to inject malicious web scripts that execute whenever a user accesses an affected page. This can lead to potential client-side attacks against site visitors, including data theft, session hijacking, or other malicious activities (NVD).

Users are strongly advised to update to version 3.2.1 which contains the complete fix for this vulnerability. While version 3.2.0 includes a partial fix, it is recommended to upgrade to version 3.2.1 for full protection (WordPress Plugin Repository).