Platform
wordpress
Component
noo-citilights
Fixed in
3.7.2
CVE-2026-24973 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the CitiLights WordPress theme. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects CitiLights versions ranging from 0.0.0 up to and including 3.7.1, with a fix available in version 3.7.2.
The impact of this Reflected XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code and trick a user into clicking it. Upon visiting the URL, the injected script would execute within the user's browser context, with the same privileges as the user. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or even modify the content of the web page. The blast radius extends to all users who interact with the vulnerable CitiLights theme, particularly those who click on links from untrusted sources. Successful exploitation could compromise user accounts and potentially lead to broader system compromise if the user has administrative privileges.
CVE-2026-24973 was publicly disclosed on 2026-03-25. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept (POC) code has been released, but the nature of Reflected XSS vulnerabilities makes exploitation relatively straightforward once a vulnerable endpoint is identified. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24973 is to immediately upgrade the CitiLights WordPress theme to version 3.7.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests, or carefully sanitizing user inputs before displaying them on the website. Regularly scan your WordPress installation for outdated plugins and themes to proactively identify and address potential vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via a URL parameter and verifying that it is not executed.
Update to version 3.7.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24973 is a Reflected XSS vulnerability affecting the CitiLights WordPress theme, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using the CitiLights WordPress theme in versions 0.0.0 through 3.7.1. Upgrade to 3.7.2 or later to resolve the issue.
Upgrade the CitiLights WordPress theme to version 3.7.2 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no indication that CVE-2026-24973 is being actively exploited in the wild.
Refer to the NooTheme website or WordPress plugin repository for the official advisory and update information regarding CVE-2026-24973.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.