CVE-2025-7726
Description
The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description' attributes directly via jQuery.attr(), concatenates them into an HTML string, and inserts that string into the DOM using methods such as jQuery.html() without escaping or filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The The7 theme for WordPress (≤12.6.0) suffers from stored XSS via unsanitized lightbox attributes, allowing Contributor+ users to inject arbitrary scripts.
Vulnerability
Overview
The7 theme for WordPress, up to version 12.6.0, contains a stored cross-site scripting (XSS) vulnerability in its lightbox rendering code. The theme's JavaScript reads user-supplied title and data-dt-img-description attributes directly via jQuery.attr(), concatenates them into an HTML string, and inserts that string into the DOM using methods such as jQuery.html() without escaping or filtering. This lack of input sanitization and output escaping allows attackers to inject malicious scripts.
Exploitation
Prerequisites
An attacker must be authenticated with at least Contributor-level access to WordPress. They can craft a post or page containing a lightbox element with malicious title or data-dt-img-description attributes. When any user (including administrators) views the compromised page, the injected script executes in the context of the victim's browser.
Impact
Successful exploitation enables arbitrary JavaScript execution, which can be leveraged to steal session cookies, redirect users to malicious sites, deface pages, or perform other client-side attacks. The vulnerability affects any site using the The7 theme up to version 12.6.0.
Mitigation
The The7 theme's changelog indicates that security fixes were applied in later versions [1]. Users are strongly advised to update to the latest available version of the theme. No workaround is documented; updating is the recommended remediation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.