{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11753", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T16:26:03.705Z", "datePublished": "2025-11-04T04:27:23.226Z", "dateUpdated": "2026-04-08T17:28:38.071Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:38.071Z"}, "affected": [{"vendor": "augustinfotech", "product": "Bootstrap Multi-language Responsive Portfolio", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Bootstrap Multi-language Responsive Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Multi-language Responsive Portfolio WordPress <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e016213f-b06f-4a9d-a2c6-3b4dd1b6b571?source=cve"}, {"url": "https://wordpress.org/plugins/bootstrap-multi-language-responsive-portfolio/"}, {"url": "https://plugins.svn.wordpress.org/bootstrap-multi-language-responsive-portfolio/trunk/wpt-posttype-portfolio.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Marco Gasi"}], "timeline": [{"time": "2025-11-03T16:00:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T14:56:49.551154Z", "id": "CVE-2025-11753", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T14:56:56.689Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11753", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T14:56:49.551154Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T14:56:53.722Z"}}], "cna": {"title": "Multi-language Responsive Portfolio WordPress <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Marco Gasi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "augustinfotech", "product": "Bootstrap Multi-language Responsive Portfolio", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T16:00:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e016213f-b06f-4a9d-a2c6-3b4dd1b6b571?source=cve"}, {"url": "https://wordpress.org/plugins/bootstrap-multi-language-responsive-portfolio/"}, {"url": "https://plugins.svn.wordpress.org/bootstrap-multi-language-responsive-portfolio/trunk/wpt-posttype-portfolio.php"}], "descriptions": [{"lang": "en", "value": "The Bootstrap Multi-language Responsive Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:38.071Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11753", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:38.071Z", "dateReserved": "2025-10-14T16:26:03.705Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:23.226Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Bootstrap Multi-language Responsive Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-11753", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:02.263", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/bootstrap-multi-language-responsive-portfolio/trunk/wpt-posttype-portfolio.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/bootstrap-multi-language-responsive-portfolio/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e016213f-b06f-4a9d-a2c6-3b4dd1b6b571?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:39:48.716440+00:00", "value": {"mitigation_remediation": ["Upgrade the Bootstrap Multi\u2011language Responsive Portfolio plugin to a version that contains the XSS fix if such a version is available.", "If no patch exists, disable or uninstall the plugin to remove the vulnerable code path.", "After disabling or updating, review existing portfolio pages and settings for any malicious content and remove it if present.", "Restrict the unfiltered_html capability or enable proper sanitization to reduce the risk of future XSS injections."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of the Bootstrap Multi\u2011language Responsive Portfolio plugin up to and including version 1.0 are affected. The vulnerability only applies to WordPress installations that are configured as multisite and that have the unfiltered_html capability disabled. Affected systems are those using the August Infotech plugin in these configurations.", "description_and_impact": "The Bootstrap Multi\u2011language Responsive Portfolio plugin contains a stored cross\u2011site scripting flaw that allows attackers who are authenticated with administrator\u2011level permissions or higher to insert arbitrary web scripts through the plugin\u2019s admin settings. When a page that contains the injected content is viewed by a user, the script executes in the victim\u2019s browser, potentially allowing the attacker to manipulate page content and to read or alter data in the victim\u2019s context.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.4, indicating moderate severity, and an EPSS score of less than 1\u202f%, representing a low but non\u2011zero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. An attacker must have authenticated administrator access to the plugin\u2019s settings to exploit the issue, making the attack path local to the WordPress installation and typically a moderate\u2011risk scenario with low exploitation probability."}}}}, "created": "2025-11-04T16:33:35.169246+00:00", "updated": "2026-04-22T00:45:04.158764+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}