CVE-2025-7726: 
WordPress vulnerability analysis and mitigation

The The7 WordPress theme contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-7726) discovered in its lightbox rendering code affecting all versions up to and including 12.6.0. The vulnerability was disclosed on August 9, 2025, and stems from insufficient input sanitization and output escaping in the theme's JavaScript functionality (NVD).

The vulnerability exists in the theme's JavaScript code where user-supplied 'title' and 'data-dt-img-description' attributes are directly read via jQuery.attr() and concatenated into HTML strings. These strings are then inserted into the DOM using methods like jQuery.html() without proper escaping or filtering. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. When users access an affected page, the injected scripts will execute in their browsers, potentially leading to unauthorized actions, data theft, or other malicious activities (NVD).

According to the changelog, this vulnerability was addressed in version 12.7.1 released on August 8, 2025. Users are advised to update their installations of The7 theme to version 12.7.1 or later to protect against this vulnerability (The7 Changelog).