Stored Cross-Site Scripting vulnerabilities in Themify Portfolio Post <= 1.1.5 allow low-privileged users (Contributor+) to inject arbitrary Javascript code or HTML in posts where the Themify Custom Panel is embedded.
1. As a contributor, go into "Portfolios" tab from the sidebar and create a new Portfolios
2. In the Themify Custom Panel section, Input an XSS vector to :
- Date
- Client
- Services
- Link to Launch
ex: <img src=x onerror=alert(origin)>
3. Publish/Send for review and visit created post/preview as editor/admin to trigger XSS.