CVE-2024-13851: 
WordPress vulnerability analysis and mitigation

The Modal Portfolio plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-13851, affecting all versions up to and including 1.7.4.2. The vulnerability was discovered by researchers Pham Van Tam and Nguyen Khanh Hao, and was disclosed on February 27, 2025. As a result of this security issue, the plugin has been temporarily closed from the WordPress plugin directory since February 26, 2025, pending a full security review (WordPress Plugin, Wordfence Intel).

The vulnerability has been classified with a CVSS v3.1 score of 5.5, indicating a moderate severity level. The attack vector is characterized as Network (AV:N), with Low attack complexity (AC:L), requiring High privileges (PR:H), and No user interaction (UI:N). The scope is Changed (S:C), with Low confidentiality impact (C:L) and Low integrity impact (I:L), and No availability impact (A:N) (Pham Tam).

The Stored Cross-Site Scripting vulnerability could allow attackers with high privileges to inject malicious scripts that would be stored on the target system and executed when other users access the affected pages, potentially leading to compromised user sessions and data exposure (NVD).

The WordPress.org team has taken immediate action by temporarily closing the plugin from their directory pending a full security review. Users are advised to consider alternative portfolio plugins until a patched version is released (WordPress Plugin).