Cyber Resilience

CVE-2026-25341

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 14.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25341 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-25341 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the RSJoomla! RSFirewall! rsfirewall WordPress plugin. This issue affects RSFirewall! versions from n/a through 1.1.45.

Unauthenticated attackers with network access can exploit this vulnerability, which has low attack complexity but requires user interaction. Exploitation enables storage of malicious scripts that execute when other users access affected web pages, resulting in low impacts to confidentiality, integrity, and availability with a changed scope, as scored 7.1 under CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.

The Patchstack advisory documents this Cross-site Scripting vulnerability in the WordPress RSFirewall plugin up to version 1.1.45.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RSJoomla! RSFirewall! rsfirewall allows Stored XSS.This issue affects RSFirewall!: from n/a through <= 1.1.45.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting the vulnerable web app to inject payloads) and facilitates T1185 (arbitrary script execution in victim browsers for session hijacking).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79
CVE-2026-1316Shared CWE-79
CVE-2025-23451Shared CWE-79
CVE-2026-34564Shared CWE-79
CVE-2025-23744Shared CWE-79
CVE-2025-23923Shared CWE-79
CVE-2025-23905Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly mandates validation of information inputs to prevent improper neutralization of user input, stopping stored XSS payloads from being accepted and persisted in the RSFirewall plugin.

prevent

SI-15 requires filtering of information outputs to neutralize embedded scripts before page generation, preventing execution of stored XSS when affected pages are accessed by users.

prevent

SI-2 ensures identification and remediation of flaws like CVE-2026-25341 through timely patching of the vulnerable RSFirewall WordPress plugin versions up to 1.1.45.

References