CVE-2026-6646 - Vulnerability Details

- The7 <= 14.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 'link' Parameter

Description

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2. This is due to insufficient input sanitization and output escaping on the 'title' component of the 'link' shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-05-15

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The The7 WordPress theme contains a stored XSS flaw in the dt_default_button shortcode. The lack of proper input sanitization on the title attribute of the link parameter allows an authenticated user who has Contributor or higher privileges to inject arbitrary JavaScript that is saved in the database. When users subsequently view pages containing the injected content, the malicious code executes in their browsers, potentially compromising user credentials, defacing content, or delivering further malware.

Affected Systems

All installations of the Dream‑Theme The7 theme for WordPress up to and including version 14.3.2 are vulnerable. Site owners using these versions should check their theme version and update if necessary.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating a moderate severity. Its EPSS score is not available and it is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been reported. The attack vector requires the attacker to first log in with at least Contributor privileges, then add or edit a button shortcode that includes a malicious title, after which the stored code is served to any visitor who opens the page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dream-Theme

The7 — Website and eCommerce Builder for WordPress

unaffected

Version	Status	Constraints
`0`	affected	≤ 14.3.2

No data.

Vendor Product Confidence Versions

Dream-theme

The7 — Website And Ecommerce Builder For Wordpress

100%

Version	Status	Scheme	Platform
`[0,14.3.2]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the The7 theme to the latest released version (14.3.3 or newer) to remove the vulnerable code.
If an upgrade is not immediately possible, remove or deactivate the dt_default_button shortcode from all affected pages to prevent further injection.
Implement or enforce stricter role permissions so that only trusted administrators can create or edit shortcodes; consider revoking Contributor access to shortcode editing until the issue is resolved.
Ensure that theme updates are tested in a staging environment before deploying to production to avoid introducing new vulnerabilities.

Generated by OpenCVE AI on May 15, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/helpers/html-helpers.php#L945
https://plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/shortcodes/includes/default-button/default-button.php#L108
https://plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/shortcodes/includes/default-button/default-button.php#L112
https://plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/helpers/html-helpers.php#L945
https://plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/shortcodes/includes/default-button/default-button.php#L108
https://plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/shortcodes/includes/default-button/default-button.php#L112
https://the7.io/changelog/
https://www.wordfence.com/threat-intel/vulnerabilities/id/082f810c-d55e-4190-908c-c7dd9c2e59a5?source=cve

History

Fri, 15 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 15 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dream-theme Dream-theme the7 — Website And Ecommerce Builder For Wordpress Wordpress Wordpress wordpress
Vendors & Products		Dream-theme Dream-theme the7 — Website And Ecommerce Builder For Wordpress Wordpress Wordpress wordpress

Fri, 15 May 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2. This is due to insufficient input sanitization and output escaping on the 'title' component of the 'link' shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		The7 <= 14.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 'link' Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/helpers/html-helpers.php#L945 https://plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/shortcodes/includes/default-button/default-button.php#L108 https://plugins.trac.wordpress.org/browser/dt-the7/tags/14.2.2/inc/shortcodes/includes/default-button/default-button.php#L112 https://plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/helpers/html-helpers.php#L945 https://plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/shortcodes/includes/default-button/default-button.php#L108 https://plugins.trac.wordpress.org/browser/dt-the7/trunk/inc/shortcodes/includes/default-button/default-button.php#L112 https://the7.io/changelog/ https://www.wordfence.com/threat-intel/vulnerabilities/id/082f810c-d55e-4190-908c-c7dd9c2e59a5?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Dream-theme The7 — Website And Ecommerce Builder For Wordpress

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-15T06:45:57.511Z

Updated: 2026-05-15T13:28:14.886Z

Reserved: 2026-04-20T05:01:05.146Z

Link: CVE-2026-6646

Vulnrichment

Updated: 2026-05-15T13:28:10.222Z

NVD

Status : Deferred

Published: 2026-05-15T07:16:20.250

Modified: 2026-05-15T14:09:15.910

Link: CVE-2026-6646

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T11:20:53Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object