Skip to main content

Felan Framework CVE-2025-22741

| EUVDEUVD-2025-209955 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-64x7-8qh7-xq7m
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:00 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS.

This issue affects Felan Framework: from n/a through 1.1.3.

AnalysisAI

Reflected cross-site scripting in the RiceTheme Felan Framework WordPress plugin (all versions through 1.1.3) lets a remote unauthenticated attacker inject script that executes in a victim's browser when the victim follows a crafted link. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity, network-reachable flaw requiring user interaction with a changed scope, scored 7.1. There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), consistent with the CISA SSVC assessment of no observed exploitation.

Technical ContextAI

Felan Framework is a WordPress plugin published by RiceTheme; as a plugin it runs inside the PHP-based WordPress request lifecycle and renders output into HTML pages served to site visitors. The root cause is CWE-79, Improper Neutralization of Input During Web Page Generation, specifically the reflected variant: user-supplied input (typically a URL/request parameter) is echoed back into the generated HTML response without sufficient output encoding or sanitization, so attacker-controlled markup is interpreted as active script by the browser. Because this is reflected rather than stored, the malicious payload is delivered per-request via the link the victim clicks, not persisted in the WordPress database.

RemediationAI

No vendor-released patch version is identified in the available data; the reported affected range ends at 1.1.3 with no confirmed fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) and the RiceTheme/WordPress plugin page for an update beyond 1.1.3 and upgrade as soon as one is published. Until a fix is confirmed, deploy a Web Application Firewall (Patchstack or equivalent) with rules to block reflected XSS payloads in the plugin's request parameters, which adds latency and a small false-positive risk but requires no code change; alternatively, deactivate and remove the Felan Framework plugin if its functionality is non-essential, accepting loss of the features it provides. Reinforce defenses by setting a restrictive Content-Security-Policy header to constrain inline script execution, noting this can break legitimate inline scripts and themes and should be tested before enforcement.

Share

CVE-2025-22741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy