CVE-2026-25442
Published: 19 March 2026
Summary
CVE-2026-25442 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 directly mitigates reflected XSS by requiring filtering of web page outputs to neutralize malicious scripts echoed from untrusted inputs.
SI-10 prevents XSS exploitation by validating and sanitizing user inputs to reject or neutralize malicious payloads before processing.
SI-2 addresses this specific CVE by requiring identification, reporting, and timely patching of the flaw in Kentha versions up to 4.7.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress theme directly enables T1190 exploitation of the vulnerable application via crafted links/requests; facilitates T1059.007 JavaScript execution in the browser context; and enables T1539 theft of web session cookies or client-side data as described in the impact.
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha kentha allows Reflected XSS.This issue affects Kentha: from n/a through <= 4.7.2.
Deeper analysisAI
CVE-2026-25442 is an improper neutralization of input during web page generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, affecting the Kentha WordPress theme developed by QantumThemes. This issue impacts Kentha versions from n/a through 4.7.2 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), highlighting its high severity due to network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and changed scope with low impacts across confidentiality, integrity, and availability.
Attackers can exploit this reflected XSS remotely over the network without authentication by tricking users into interacting with malicious input, such as via a crafted link or form submission that echoes unsanitized data back into the web page. No special privileges are needed, and exploitation complexity is low. Successful attacks enable script execution in the victim's browser context, potentially allowing theft of session data, cookie manipulation, or other client-side actions, with impacts extending beyond the vulnerable theme due to the changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/kentha/vulnerability/wordpress-kentha-theme-4-7-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this vulnerability specific to Kentha version 4.7.2 and serves as a primary reference for affected WordPress installations.
Details
- CWE(s)