Description
The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description.
Proof of Concept
Steps to reproduce:
1) As a Contributor, go to portfolio on the dashboard and add new item.
2) on the editing page that comes up, scroll down to the slider section
3) Add the payload in the description area. "<img src=1 onerror=alert('xss')>"
4) save and preview the item and watch the script trigger.
5)login as an administrator or editor and also preview the created portfolio item and the script gets triggered
Source: https://wpscan.com/vulnerability/dd6ebf6b-209b-437c-9fe4-527ab9e3b9e3