CVE-2025-63073 - Vulnerability Details

- WordPress The7 theme < 12.9.0 - Cross Site Scripting (XSS) vulnerability

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS.This issue affects The7: from n/a through < 12.9.0.

Published: 2025-12-09

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in Dream‑Theme The7 and occurs when user supplied input is not properly neutralized during web page generation. This DOM‑based XSS allows attackers to inject malicious JavaScript by crafting a URL or input that is then rendered by the page. An attacker who succeeds can hijack user sessions, deface the site, or redirect visitors to malicious domains.

Affected Systems

All installations of The7 theme versions earlier than 12.9.0, including 12.8.0 and older, are affected. The product is the WordPress theme distributed by Dream‑Theme under the CNA listing Dream‑Theme: The7.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of <1% suggests a low probability of exploitation in the wild. The vulnerability is not present in the CISA KEV catalog. An attacker only needs to supply a crafted request or lure a user to a manipulated URL, as the flaw is triggered by any user who accesses the vulnerable page. No special privileges are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dream-Theme

The7

unaffected

Version	Status	Constraints
`0`	affected	≤ 12.9.0

No data.

Vendor	Product	Confidence	Versions
Dream-theme	The7	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Dream‑Theme The7 to version 12.9.0 or later to apply the vendor‑supplied XSS fix.
Sanitize or escape all user‑supplied data before outputting it, ensuring that content is properly encoded for the browser context.
Deploy a Content Security Policy that blocks inline script execution and restricts script sources to trusted domains, providing a secondary defense against residual XSS attacks.

Generated by OpenCVE AI on April 29, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/dt-the7/vulnerability/wordpress-the7-theme-12-8-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS.This issue affects The7: from n/a through <= 12.8.0.2.	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS.This issue affects The7: from n/a through < 12.9.0.
Title	WordPress The7 theme <= 12.8.0.2 - Cross Site Scripting (XSS) vulnerability	WordPress The7 theme < 12.9.0 - Cross Site Scripting (XSS) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Theme/dt-the7/vulnerability/wordpress-the7-theme-12-8-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Theme/dt-the7/vulnerability/wordpress-the7-theme-12-8-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Wed, 10 Dec 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dream-theme Dream-theme the7 Wordpress Wordpress wordpress
Vendors & Products		Dream-theme Dream-theme the7 Wordpress Wordpress wordpress

Tue, 09 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Dec 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS.This issue affects The7: from n/a through <= 12.8.0.2.
Title		WordPress The7 theme <= 12.8.0.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses		CWE-79
References		https://vdp.patchstack.com/database/Wordpress/Theme/dt-the7/vulnerability/wordpress-the7-theme-12-8-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Subscriptions

Dream-theme The7

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-09T14:52:36.226Z

Updated: 2026-04-28T19:37:14.351Z

Reserved: 2025-10-24T14:26:55.389Z

Link: CVE-2025-63073

Vulnrichment

Updated: 2025-12-09T15:23:35.269Z

NVD

Status : Deferred

Published: 2025-12-09T16:18:13.417

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-63073

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T12:30:10Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object