CVE-2025-25427 HIGH

CVE-2025-25427: XSS in TP-Link TL-WR841N v14/v14.6/v14.8 Upnp page

Vendor Tp-Link Systems Inc.

Product TL-WR841N v14/v14.6/v14.8

Weakness CWE-79 · XSS

Published April 18, 2025

Last update July 1, 2025

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:L

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 <= Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.

Key dates

02Disclosure timeline

April 18, 2025 CVE published

July 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-25427

Related vulnerabilities

04Related CVE

CVE-2024-12177 Ai Image Alt Text Generator for WP <= 1.0.6 - Reflected Cross-Site Scripting CVE-2024-37117 WordPress Uncanny Automator Pro plugin <= 5.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-24709 WordPress Plethora Plugins Tabs + Accordions plugin <= 1.1.5 - Stored Cross Site Scripting (XSS) vulnerability CVE-2024-30461 WordPress Tumult Hype Animations plugin <= 1.9.11 - CSRF to XSS vulnerability CVE-2025-23767 WordPress Marmoset Viewer plugin <= 1.9.3 - Stored Cross Site Scripting (XSS) vulnerability

Identifiers

CVE CVE-2025-25427

CWE CWE-79

CVSS 8.6 / HIGH

Affected versions

Vendor Tp-Link Systems Inc.

Product TL-WR841N v14/v14.6/v14.8

Affected ≤ Build 241230 Rel. 50788n