Stored Cross-Site Scripting in The7 WordPress Theme by Dream-Theme
CVE-2025-7726

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: The7 — Website And Ecommerce Builder For WordPress
Vendor: CVE Published:; 9 August 2025

What is CVE-2025-7726?

The7 WordPress theme has a vulnerability that allows for Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in its lightbox rendering code. This flaw enables authenticated users with Contributor-level access or higher to inject malicious scripts into web pages. The theme’s JavaScript processes user-provided 'title' and 'data-dt-img-description' attributes directly via jQuery, creating an HTML string that is inserted into the DOM without proper escaping. As a result, scripts embedded in these attributes can execute in the context of other users accessing the affected pages.

Affected Version(s)

The7 — Website and eCommerce Builder for WordPress * <= 12.6.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/the7-responsive-multipurpose...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 9, 2025
Vulnerability Reserved
Jul 16, 2025

Credit

Craig Smith