Stored Cross-Site Scripting Vulnerability in TP-Link WR841N Router
CVE-2025-25427

Currently unrated

Key Information:

Vendor: TP-Link
Status: WR841N Router
Vendor: CVE Published:; 18 April 2025

Summary

A stored cross-site scripting vulnerability exists in the Universal Plug and Play (UPNP) page of the web interface in TP-Link WR841N routers running firmware version 4.19 or earlier. This flaw allows remote attackers to inject arbitrary JavaScript code through the port mapping description. When the UPNP page is accessed, this injected code is executed in the context of the user's browser, potentially compromising user data and system integrity. It is crucial for users to update their firmware to mitigate this risk.

References

https://github.com/slin99/2025-25427

Timeline

Vulnerability published
Apr 18, 2025