CVE-2025-11897: 
WordPress vulnerability analysis and mitigation

The The7 — Website and eCommerce Builder for WordPress theme is affected by a Stored Cross-Site Scripting vulnerability (CVE-2025-11897) discovered on October 24, 2025. The vulnerability affects all versions up to and including 12.9.1, and is present in the 'the7fancytitle_css' parameter. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) (Wordfence).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, content manipulation, or theft of sensitive information (Tenable).

Users should update The7 WordPress theme to a version newer than 12.9.1 when available. Until then, it is recommended to restrict access to the theme's settings to trusted administrators only (ThemeForest).