Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS.

This issue affects Felan Framework: from n/a through 1.1.3.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation, allowing an attacker to reflect malicious script into the browser of any user who views a crafted page. The reflected XSS could execute JavaScript within the victim’s context, potentially enabling data theft or site defacement. The description states that the flaw exists in the plugin’s handling of external input.

Affected Systems

RiceTheme Felan Framework WordPress plugin 1.1.3 and earlier is affected. Users running any version up to and including 1.1.3 have the vulnerability.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑moderate risk level. No EPSS score is reported, and the CVE is not listed in the CISA KEV catalog. The attack vector is inferred to be a web‑based reflected XSS, likely through manipulation of GET or POST parameters that the plugin displays without proper escaping. Exploitation requires the victim’s browser to load the crafted URL; therefore it is user‑agent‑based but does not require elevation of privileges or network access.

Generated by OpenCVE AI on May 27, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official plugin update, which resolves the reflected XSS flaw.
  • If an update is not immediately possible, sanitize or encode all user‑supplied input before rendering it in the plugin’s output, following best practices for preventing XSS.
  • Deploy a strict Content Security Policy that restricts the execution of inline scripts and limits script sources to trusted domains to reduce the impact of any remaining reflected XSS.

Generated by OpenCVE AI on May 27, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS. This issue affects Felan Framework: from n/a through 1.1.3.
Title WordPress Felan Framework plugin <= 1.1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:27:23.471Z

Reserved: 2025-01-07T21:04:23.273Z

Link: CVE-2025-22741

cve-icon Vulnrichment

Updated: 2026-05-27T10:27:18.820Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T09:16:26.977

Modified: 2026-05-27T14:50:47.627

Link: CVE-2025-22741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:30:28Z

Weaknesses