Vulnerabilities and security researches forportfolio-and-projects portfolio-and-projects

Apr 23, 2026

CVE, Research URL: CVE-2026-6443
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: Apr 17, 2026
Research Description: All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Affected versions: max 1.5.6.1.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-67470
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: Dec 09, 2025
Research Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Essential Plugin Portfolio and Projects portfolio-and-projects allows Retrieve Embedded Sensitive Data.This issue affects Portfolio and Projects: from n/a through <= 1.5.5.
Affected versions: max 1.5.5.
Status: vulnerable

Mar 15, 2025

CVE, Research URL: CVE-2024-13847
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: Mar 15, 2025
Research Description: The Portfolio and Projects plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 1.5.3.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-39995
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Portfolio and Projects allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio and Projects: from n/a through 1.3.7.
Affected versions: max 1.3.8.
Status: vulnerable

CVE, Research URL: CVE-2023-40200
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: -
Research Description: Multiple WPOnlineSupport plugins for WordPress are vulnerable to unauthorized modification of data due to a missing capability check on the wpos_anylc_admin_init_process() function hooked via admin_init in various versions. This makes it possible for unauthenticated attackers to dismiss a license notice.
Affected versions: max 1.3.7.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: 1e5ab0d376bb286eb9f3c02b0bc3818f419fb17d
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: Aug 11, 2023
Research Description: Portfolio and Projects [portfolio-and-projects] < 1.3.8 WordPress Portfolio and Projects Plugin <= 1.3.7 is vulnerable to Broken Access Control Update the WordPress Portfolio and Projects plugin to the latest available version (at least 1.3.8). Cat discovered and reported this Broken Access Control vulnerability in WordPress Portfolio and Projects Plugin. A broken access control issue refers to a missing authorization, authentication or nonce token check in a function that could lead to an unprivileged user to executing a certain higher privileged action. This vulnerability has been fixed in version 1.3.8.
Affected versions: max 1.3.8.
Status: vulnerable