CVE-2025-7726: 
WordPress vulnerability analysis and mitigation

The The7 WordPress theme contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-7726) discovered in its lightbox rendering code, affecting all versions up to and including 12.6.0. The vulnerability was disclosed on August 9, 2025, and impacts users of The7 theme for WordPress (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the theme's JavaScript code. Specifically, the theme's JavaScript reads user-supplied 'title' and 'data-dt-img-description' attributes directly via jQuery.attr(), concatenates them into an HTML string, and inserts that string into the DOM using methods such as jQuery.html() without proper escaping or filtering. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD CVE).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or other malicious activities (NVD CVE).

Based on the changelog from The7's official website, the vulnerability was addressed in version 12.6.0 released on June 14, 2025. Users are advised to update to the latest version of The7 theme to mitigate this vulnerability (The7 Changelog).