PatchSiren cyber security CVE debrief
CVE-2021-47929 Filterable Portfolio CVE debrief
CVE-2021-47929 describes a stored cross-site scripting issue in Filterable Portfolio / Filterable Portfolio Gallery 1.0. An authenticated attacker can place malicious script content into the title field, and that content may execute in another user’s browser when the gallery is previewed or viewed. The issue is classed as CWE-79 and should be treated as a client-side injection risk affecting anyone who loads the vulnerable content.
- Vendor
- Filterable Portfolio
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
WordPress administrators, plugin maintainers, site editors, and security teams responsible for user-generated content or gallery components. Any deployment that allows authenticated users to create or edit gallery entries should treat this as a browser-side trust boundary issue.
Technical summary
The supplied description and NVD metadata indicate a stored XSS condition in the plugin’s title handling. Because the payload is persisted, the dangerous content can affect all viewers of the rendered gallery, not just the original attacker. The NVD record maps the issue to CWE-79 and includes a CVSS vector consistent with network-based exploitation requiring low privileges and user interaction.
Defensive priority
Medium. This is not a remote code execution issue, but stored XSS can enable session theft, account action abuse, content defacement, and follow-on phishing inside trusted site sessions.
Recommended defensive actions
- Update or remove the vulnerable plugin using the official WordPress plugin source if a fixed release is available.
- Audit all existing gallery titles and related fields for unexpected HTML, script tags, event handlers, or other markup.
- Escape and sanitize output on render, not only on input, and verify the plugin uses context-appropriate encoding for title display.
- Restrict which authenticated roles can create or edit gallery content.
- Review browser-side hardening such as a restrictive Content Security Policy to reduce script execution impact.
- Check for signs of abuse in recent content changes and review affected user sessions if malicious titles were stored.
Evidence notes
The supplied NVD record for CVE-2021-47929 lists the weakness as CWE-79 and includes references to the vendor site, the WordPress plugin page, an Exploit-DB entry, and a VulnCheck advisory. The user-supplied description explicitly states the vulnerability is a stored XSS in the title field that can execute when the gallery is previewed. No CISA KEV listing is present in the supplied enrichment data.
Official resources
The supplied timeline places the public NVD entry and source record at 2026-05-10T13:16:29.017Z, with NVD vulnStatus shown as Received. The supplied enrichment does not list this CVE in CISA KEV.