Cyber Posture

CVE-2026-25341

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 11.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25341 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly mandates validation of information inputs to prevent improper neutralization of user input, stopping stored XSS payloads from being accepted and persisted in the RSFirewall plugin.

SI-15 Information Output Filtering good match
prevent

SI-15 requires filtering of information outputs to neutralize embedded scripts before page generation, preventing execution of stored XSS when affected pages are accessed by users.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures identification and remediation of flaws like CVE-2026-25341 through timely patching of the vulnerable RSFirewall WordPress plugin versions up to 1.1.45.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting the vulnerable web app to inject payloads) and facilitates T1185 (arbitrary script execution in victim browsers for session hijacking).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RSJoomla! RSFirewall! rsfirewall allows Stored XSS.This issue affects RSFirewall!: from n/a through <= 1.1.45.

Deeper analysisAI

CVE-2026-25341 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the RSJoomla! RSFirewall! rsfirewall WordPress plugin. This issue affects RSFirewall! versions from n/a through 1.1.45.

Unauthenticated attackers with network access can exploit this vulnerability, which has low attack complexity but requires user interaction. Exploitation enables storage of malicious scripts that execute when other users access affected web pages, resulting in low impacts to confidentiality, integrity, and availability with a changed scope, as scored 7.1 under CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.

The Patchstack advisory documents this Cross-site Scripting vulnerability in the WordPress RSFirewall plugin up to version 1.1.45.

Details

CWE(s)
CWE-79

CVEs Like This One

CVE-2025-22751Shared CWE-79
CVE-2026-30862Shared CWE-79
CVE-2025-23726Shared CWE-79
CVE-2025-67932Shared CWE-79
CVE-2025-28928Shared CWE-79
CVE-2025-23843Shared CWE-79
CVE-2025-68538Shared CWE-79
CVE-2025-27088Shared CWE-79
CVE-2025-23811Shared CWE-79
CVE-2025-22593Shared CWE-79

References