Plattform
wordpress
Komponente
noo-citilights
Behoben in
3.7.2
CVE-2026-24973 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the CitiLights WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions of CitiLights from 0.0.0 up to and including 3.7.1, with a fix available in version 3.7.2.
The impact of this Reflected XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code. When a user clicks on this URL, the script executes in their browser within the context of the CitiLights plugin. This allows the attacker to steal session cookies, redirect the user to a phishing site, or even modify the content of the web page. The blast radius extends to all users who interact with pages utilizing the vulnerable CitiLights plugin, particularly those who click on links from untrusted sources. Successful exploitation could compromise user accounts and potentially lead to broader site compromise.
CVE-2026-24973 was publicly disclosed on 2026-03-25. There are currently no known public proof-of-concept exploits available, but the ease of exploitation for Reflected XSS vulnerabilities means it is likely to be targeted. The CVSS score of 7.1 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog.
Websites using the CitiLights WordPress theme, particularly those with user-generated content or forms that accept user input without proper sanitization, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially affected, as a compromise of one site could lead to the compromise of others.
• wordpress / composer / npm:
grep -r "noo-citilights" /var/www/html/wp-content/themes/• wordpress / composer / npm:
wp plugin list | grep citilights• wordpress / composer / npm:
curl -I <vulnerable_url_with_payload> | grep -i content-security-policydisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24973 is to immediately upgrade the CitiLights WordPress plugin to version 3.7.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious URL parameters. Specifically, look for URL parameters containing JavaScript code. Additionally, carefully review and sanitize all user-supplied input within the plugin’s code to prevent future XSS vulnerabilities. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a URL parameter and confirming that it is not executed.
Aktualisieren Sie auf Version 3.7.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24973 is a Reflected XSS vulnerability affecting the CitiLights WordPress theme, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using the CitiLights WordPress theme in versions 0.0.0 through 3.7.1. Upgrade to 3.7.2 or later to resolve the issue.
Upgrade the CitiLights WordPress theme to version 3.7.2 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no indication that CVE-2026-24973 is being actively exploited in the wild.
Refer to the NooTheme website or WordPress plugin repository for the official advisory and update information regarding CVE-2026-24973.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.