CVE-2025-7726

Name of the Vulnerable Software and Affected Versions: The7 theme for WordPress versions prior to 12.6.1

Description: The The7 theme for WordPress is susceptible to Stored Cross-Site Scripting through its lightbox rendering code. Insufficient input sanitization and output escaping allow the theme’s JavaScript to read user-supplied title and data-dt-img-description attributes directly via jQuery.attr(), concatenate them into an HTML string, and insert that string into the DOM using jQuery.html() without proper filtering. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses the injected page.

Recommendations: Update The7 theme for WordPress to version 12.6.1 or later.