Vulnerabilities and security researches fora3-portfolio a3-portfolio

Jun 16, 2026

CVE, Research URL: 30b3e67d5cbb2b680fcfbd5e6e6f572f47d29927
Home page URL: Security reports for a3 Portfolio
Application: a3 Portfolio
Date: May 24, 2022
Research Description: a3 Portfolio [a3-portfolio] < 3.0.0 a3rev Multiple Plugins <= Various Versions - Cross-Site Request Forgery to Settings Changes The a3 Lazy Load, a3 Portfolio, Contact Us Page – Contact People, Dynamic Product Gallery for WooCommerce, a3 Responsive Slider, and Compare Products for WooCommerce plugins for WordPress are vulnerable to Cross-Site Request Forgery respectively in versions up to, and including, 2.5.0, 3.0.0, 3.6.0, 2.9.0, 2.0.12, 2.8.0. This is due to missing nonce validation on the save_settings function present in all three plugins. This makes it possible for unauthenticated attackers to to update the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. It is also worth noting that there were several additional changes in the plugins related to sanitization and escaping so there may be other vulnerabilities that were fixed as part of these releases.
Affected versions: max 3.0.0.
Status: vulnerable

CVE, Research URL: a6ad6a89f04d11a0b7c1b7014208a62367569180
Home page URL: Security reports for a3 Portfolio
Application: a3 Portfolio
Date: Apr 10, 2023
Research Description: a3 Portfolio [a3-portfolio] < 3.1.1 a3 Portfolio <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting The a3 Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 3.1.1.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: d1b0f784da3ca0f399c542515fda1423816819f0
Home page URL: Security reports for a3 Portfolio
Application: a3 Portfolio
Date: Nov 02, 2022
Research Description: a3 Portfolio [a3-portfolio] < 3.0.2 a3 Lazy Load <= 2.6.0 - Cross-Site Request Forgery to Settings Reset The following plugins for WordPress are vulnerable to Cross-Site Request Forgery: a3 Lazy Load (<= 2.6.0), Contact Us Page – Contact People (<= 3.6.1), a3 Portfolio (<= 3.0.1), Dynamic Product Gallery for WooCommerce (3.0.1), a3 Responsive Slider (<= 2.2.0), Compare Products for WooCommerce (<= 2.8.2), Products Quick View for WooCommerce (<= 2.0.1), Product Sort and Display for WooCommerce (<= 2.2.2), Product Widget Slider for WooCommerce (), WP Email Template (<= 2.6.2). This is due to missing nonce validation on the reset_settings() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 3.0.2.
Status: vulnerable

CVE, Research URL: CVE-2023-29097
Home page URL: Security reports for a3 Portfolio
Application: a3 Portfolio
Date: Aug 14, 2023
Research Description: Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in a3rev Software a3 Portfolio plugin <= 3.1.0 versions.
Affected versions: max 3.1.1.
Status: vulnerable