Vulnerabilities and security researches forportfolio-wp portfolio-wp

Jun 06, 2024

CVE, Research URL: CVE-2021-25090
Home page URL: Security reports for Portfolio Gallery, Product Catalog – Grid KIT Portfolio
Application: Portfolio Gallery, Product Catalog – Grid KIT Portfolio
Date: Apr 11, 2022
Research Description: The Portfolio Gallery, Product Catalog WordPress plugin before 2.1.0 does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages where a Portfolio is embed
Affected versions: max 2.1.0.
Status: vulnerable

Apr 24, 2026

CVE, Research URL: CVE-2025-5092
Home page URL: Security reports for Portfolio Gallery, Product Catalog – Grid KIT Portfolio
Application: Portfolio Gallery, Product Catalog – Grid KIT Portfolio
Date: Nov 20, 2025
Research Description: Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.2.2.
Status: vulnerable