Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme CitiLights noo-citilights allows Reflected XSS.This issue affects CitiLights: from n/a through <= 3.7.1.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

An attacker can inject malicious scripts into the browser by supplying crafted input that the NooTheme CitiLights WordPress theme reflects directly into the page. The scripts execute in the context of the visitor’s session, allowing the attacker to run code that the site’s users subsequently load.

Affected Systems

WordPress sites using the NooTheme CitiLights theme with version 3.7.1 or earlier are affected. Any deployment of this theme that has not been updated past that version remains vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is client‑side reflected input, such as a specially crafted URL or form submission accessed by a victim. No privileged access is required, making the vulnerability readily exploitable.

Generated by OpenCVE AI on March 26, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CitiLights theme to a version newer than 3.7.1 issued by NooTheme.
  • Verify that the upgrade eliminates reflected input handling by testing with known XSS payloads and ensuring proper output encoding.
  • If an immediate update is not feasible, apply server‑side sanitization or escaping to all user‑supplied data that the theme reflects.
  • Continue monitoring WordPress security advisories for additional patches or guidance.

Generated by OpenCVE AI on March 26, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme citilights
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme citilights
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme CitiLights noo-citilights allows Reflected XSS.This issue affects CitiLights: from n/a through <= 3.7.1.
Title WordPress CitiLights theme <= 3.7.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Nootheme Citilights
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:23:33.565Z

Reserved: 2026-01-28T09:50:41.578Z

Link: CVE-2026-24973

cve-icon Vulnrichment

Updated: 2026-03-25T20:17:56.360Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:39.370

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-24973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:08Z

Weaknesses