प्लेटफ़ॉर्म
wordpress
घटक
noo-citilights
में ठीक किया गया
3.7.2
CVE-2026-24973 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the CitiLights WordPress theme. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects CitiLights versions ranging from 0.0.0 up to and including 3.7.1, with a fix available in version 3.7.2.
The impact of this Reflected XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code and trick a user into clicking it. Upon visiting the URL, the injected script would execute within the user's browser context, with the same privileges as the user. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or even modify the content of the web page. The blast radius extends to all users who interact with the vulnerable CitiLights theme, particularly those who click on links from untrusted sources. Successful exploitation could compromise user accounts and potentially lead to broader system compromise if the user has administrative privileges.
CVE-2026-24973 was publicly disclosed on 2026-03-25. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept (POC) code has been released, but the nature of Reflected XSS vulnerabilities makes exploitation relatively straightforward once a vulnerable endpoint is identified. The vulnerability is not currently listed on the CISA KEV catalog.
Websites using the CitiLights WordPress theme, particularly those with user-generated content or forms that accept user input without proper sanitization, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially affected, as a compromise of one site could lead to the compromise of others.
• wordpress / composer / npm:
grep -r "noo-citilights" /var/www/html/wp-content/themes/• wordpress / composer / npm:
wp plugin list | grep citilights• wordpress / composer / npm:
curl -I <vulnerable_url_with_payload> | grep -i content-security-policydisclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (11% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-24973 is to immediately upgrade the CitiLights WordPress theme to version 3.7.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests, or carefully sanitizing user inputs before displaying them on the website. Regularly scan your WordPress installation for outdated plugins and themes to proactively identify and address potential vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via a URL parameter and verifying that it is not executed.
Update to version 3.7.2, or a newer patched version
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-24973 is a Reflected XSS vulnerability affecting the CitiLights WordPress theme, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using the CitiLights WordPress theme in versions 0.0.0 through 3.7.1. Upgrade to 3.7.2 or later to resolve the issue.
Upgrade the CitiLights WordPress theme to version 3.7.2 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no indication that CVE-2026-24973 is being actively exploited in the wild.
Refer to the NooTheme website or WordPress plugin repository for the official advisory and update information regarding CVE-2026-24973.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।