Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS.
This issue affects Felan Framework: from n/a through 1.1.3.
AnalysisAI
Reflected cross-site scripting in the RiceTheme Felan Framework WordPress plugin (all versions through 1.1.3) lets a remote unauthenticated attacker inject script that executes in a victim's browser when the victim follows a crafted link. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity, network-reachable flaw requiring user interaction with a changed scope, scored 7.1. There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), consistent with the CISA SSVC assessment of no observed exploitation.
Technical ContextAI
Felan Framework is a WordPress plugin published by RiceTheme; as a plugin it runs inside the PHP-based WordPress request lifecycle and renders output into HTML pages served to site visitors. The root cause is CWE-79, Improper Neutralization of Input During Web Page Generation, specifically the reflected variant: user-supplied input (typically a URL/request parameter) is echoed back into the generated HTML response without sufficient output encoding or sanitization, so attacker-controlled markup is interpreted as active script by the browser. Because this is reflected rather than stored, the malicious payload is delivered per-request via the link the victim clicks, not persisted in the WordPress database.
RemediationAI
No vendor-released patch version is identified in the available data; the reported affected range ends at 1.1.3 with no confirmed fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) and the RiceTheme/WordPress plugin page for an update beyond 1.1.3 and upgrade as soon as one is published. Until a fix is confirmed, deploy a Web Application Firewall (Patchstack or equivalent) with rules to block reflected XSS payloads in the plugin's request parameters, which adds latency and a small false-positive risk but requires no code change; alternatively, deactivate and remove the Felan Framework plugin if its functionality is non-essential, accepting loss of the features it provides. Reinforce defenses by setting a restrictive Content-Security-Policy header to constrain inline script execution, noting this can break legitimate inline scripts and themes and should be tested before enforcement.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209955
GHSA-64x7-8qh7-xq7m