Stored Cross-Site Scripting in The7 WordPress Theme by Dream-Theme
Posted: Sat Aug 09, 2025 3:01 pm
The7 WordPress theme has a vulnerability that allows for Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in its lightbox rendering code. This flaw enables authenticated users with Contributor-level access or higher to inject malicious scripts into web pages. The theme’s JavaScript processes user-provided 'title' and 'data-dt-img-description' attributes directly via jQuery, creating an HTML string that is inserted into the DOM without proper escaping. As a result, scripts embedded in these attributes can execute in the context of other users accessing the affected pages.
https://securityvulnerability.io/vulner ... -2025-7726
https://securityvulnerability.io/vulner ... -2025-7726