CVE-2026-6646
Description
The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2. This is due to insufficient input sanitization and output escaping on the 'title' component of the 'link' shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The The7 theme for WordPress (≤14.3.2) contains a stored XSS vulnerability in the 'dt_default_button' shortcode, allowing Contributor+ users to inject arbitrary scripts via the 'title' parameter.
Vulnerability
Overview
The vulnerability resides in the 'dt_default_button' shortcode of the The7 theme for WordPress. The 'title' component of the 'link' shortcode parameter is not properly sanitized or escaped before being stored, enabling the injection of arbitrary web scripts. This issue affects all versions up to and including 14.3.2 [1].
Exploitation
Prerequisites
An authenticated attacker with at least Contributor-level access can exploit this flaw by crafting a malicious 'title' value within the shortcode. When the page containing the injected shortcode is viewed by any user, the stored script executes in the context of the victim's browser [1].
Impact
Successful exploitation leads to Stored Cross-Site Scripting (XSS), which can be used to steal session cookies, redirect users to malicious sites, deface pages, or perform other actions on behalf of the victim. The attack does not require any special network position beyond standard WordPress contributor capabilities [1].
Mitigation
The issue has been addressed in version 14.3.3, released on May 8, 2026, as noted in the theme's changelog. Users are strongly advised to update to the latest version to eliminate the vulnerability [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=14.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/helpers/html-helpers.phpnvd
- plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/shortcodes/includes/default-button/default-button.phpnvd
- plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/shortcodes/includes/default-button/default-button.phpnvd
- plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/helpers/html-helpers.phpnvd
- plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/shortcodes/includes/default-button/default-button.phpnvd
- plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/shortcodes/includes/default-button/default-button.phpnvd
- the7.io/changelog/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/082f810c-d55e-4190-908c-c7dd9c2e59a5nvd
News mentions
0No linked articles in our index yet.