{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11897", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T23:09:50.983Z", "datePublished": "2025-10-25T12:26:28.878Z", "dateUpdated": "2026-04-08T17:25:21.752Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:21.752Z"}, "affected": [{"vendor": "Dream-Theme", "product": "The7 \u2014 Website and eCommerce Builder for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "12.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The7 \u2014 Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018 the7_fancy_title_css\u2019 parameter in all versions up to, and including, 12.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "The7 \u2014 Ultimate WordPress & WooCommerce Theme <= 12.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'the7_fancy_title_css'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d26c7cd4-7548-421f-ace0-7f9dce16b0dc?source=cve"}, {"url": "https://themeforest.net/item/the7-responsive-multipurpose-wordpress-theme/5556590#item-description__recent-updates"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-10-16T23:25:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:29:20.680006Z", "id": "CVE-2025-11897", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:29:28.780Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11897", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:29:20.680006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:29:25.424Z"}}], "cna": {"title": "The7 \u2014 Ultimate WordPress & WooCommerce Theme <= 12.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'the7_fancy_title_css'", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "Dream-Theme", "product": "The7 \u2014 Website and eCommerce Builder for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "12.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-16T23:25:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d26c7cd4-7548-421f-ace0-7f9dce16b0dc?source=cve"}, {"url": "https://themeforest.net/item/the7-responsive-multipurpose-wordpress-theme/5556590#item-description__recent-updates"}], "descriptions": [{"lang": "en", "value": "The The7 \u2014 Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018 the7_fancy_title_css\u2019 parameter in all versions up to, and including, 12.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:21.752Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11897", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:25:21.752Z", "dateReserved": "2025-10-16T23:09:50.983Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T12:26:28.878Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The7 \u2014 Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018 the7_fancy_title_css\u2019 parameter in all versions up to, and including, 12.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11897", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T13:15:37.907", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/the7-responsive-multipurpose-wordpress-theme/5556590#item-description__recent-updates"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d26c7cd4-7548-421f-ace0-7f9dce16b0dc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:02:48.473725+00:00", "value": {"mitigation_remediation": ["Update The7 theme to version\u202f12.9.2 or later, which removes the vulnerable parameter handling.", "If an upgrade cannot be performed immediately, restrict Contributor accounts or remove Contributor privileges until the patch is applied.", "Review existing content for injected scripts and sanitize or delete the \u2018the7_fancy_title_css\u2019 values in the database; consider applying a site\u2011wide Content\u2011Security\u2011Policy header to mitigate client\u2011side XSS."], "summary": {"action": "Apply patch", "impact": "Stored Cross\u2011Site Scripting via insufficient sanitization of the theme option 'the7_fancy_title_css'"}, "threat_synthesis": {"affected_systems": "All releases of Dream\u2011Theme\u2019s The7 theme through version\u202f12.9.1, including all earlier builds, are susceptible.", "description_and_impact": "The WordPress theme for Dream\u2011Theme contains a stored cross\u2011site scripting flaw in the \u2018the7_fancy_title_css\u2019 parameter. Unsanitized input allows an attacker who can log in as a Contributor or higher to inject arbitrary JavaScript that will execute whenever a victim views an affected page. This capability can enable defacement, credential theft, session hijacking, or other client\u2011side compromise actions. The vulnerability is a classic input validation weakness (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.4 classifies the flaw as moderate severity. EPSS indicates an exploitation probability of less than 1\u202f%. The exploit requires authenticated access with Contributor privileges and the ability to modify theme settings, so it may not be widely available to anonymous attackers. The vulnerability is not in CISA\u2019s KEV catalog, suggesting that mass\u2010deployment of attack code has not been observed yet."}}}}, "created": "2025-10-27T22:10:08.934874+00:00", "updated": "2026-04-21T02:15:06.517130+00:00", "vendors": ["dream-theme", "dream-theme$PRODUCT$the7", "wordpress", "wordpress$PRODUCT$wordpress"]}