Cyber Resilience

CVE-2026-25442

High

Published: 19 March 2026

Published
19 March 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 14.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25442 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-25442 is an improper neutralization of input during web page generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, affecting the Kentha WordPress theme developed by QantumThemes. This issue impacts Kentha versions from n/a through 4.7.2 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), highlighting its high severity due to network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and changed scope with low impacts across confidentiality, integrity, and availability.

Attackers can exploit this reflected XSS remotely over the network without authentication by tricking users into interacting with malicious input, such as via a crafted link or form submission that echoes unsanitized data back into the web page. No special privileges are needed, and exploitation complexity is low. Successful attacks enable script execution in the victim's browser context, potentially allowing theft of session data, cookie manipulation, or other client-side actions, with impacts extending beyond the vulnerable theme due to the changed scope.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/kentha/vulnerability/wordpress-kentha-theme-4-7-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this vulnerability specific to Kentha version 4.7.2 and serves as a primary reference for affected WordPress installations.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha kentha allows Reflected XSS.This issue affects Kentha: from n/a through <= 4.7.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS in public-facing WordPress theme directly enables T1190 exploitation of the vulnerable application via crafted links/requests; facilitates T1059.007 JavaScript execution in the browser context; and enables T1539 theft of web session cookies or client-side data as described in the impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23538Shared CWE-79
CVE-2026-27099Shared CWE-79
CVE-2025-12716Shared CWE-79
CVE-2026-34563Shared CWE-79
CVE-2025-68883Shared CWE-79
CVE-2024-13875Shared CWE-79
CVE-2026-24778Shared CWE-79
CVE-2025-64539Shared CWE-79
CVE-2025-23683Shared CWE-79
CVE-2024-13055Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 directly mitigates reflected XSS by requiring filtering of web page outputs to neutralize malicious scripts echoed from untrusted inputs.

prevent

SI-10 prevents XSS exploitation by validating and sanitizing user inputs to reject or neutralize malicious payloads before processing.

prevent

SI-2 addresses this specific CVE by requiring identification, reporting, and timely patching of the flaw in Kentha versions up to 4.7.2.

References