Description
The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description.
Proof of Concept
Steps to reproduce: 1) As a Contributor, go to portfolio on the dashboard and add new item. 2) on the editing page that comes up, scroll down to the slider section 3) Add the payload in the description area. "<img src=1 onerror=alert('xss')>" 4) save and preview the item and watch the script trigger. 5)login as an administrator or editor and also preview the created portfolio item and the script gets triggered
Source: https://wpscan.com/vulnerability/dd6ebf6b-209b-437c-9fe4-527ab9e3b9e3