CVE-2026-24973
Reflected XSS in NooTheme CitiLights β€ 3.7.1 Web Pages
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nootheme | citi_lights | to 3.7.1 (inc) |
| nootheme | noo-citilights | to 3.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24973 is a medium severity Cross Site Scripting (XSS) vulnerability affecting the WordPress CitiLights Theme versions up to and including 3.7.1.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβthat execute when visitors access the compromised website.
Exploitation requires no authentication but depends on a privileged user performing an action like clicking a malicious link, visiting a crafted page, or submitting a form.
How can this vulnerability impact me? :
The vulnerability can lead to execution of malicious scripts on your website, which may result in unauthorized redirects, unwanted advertisements, or other harmful HTML payloads being delivered to your visitors.
This can damage your website's reputation, compromise user trust, and potentially expose users to further attacks.
Since exploitation requires no authentication, attackers can easily target your site, making it likely to be used in mass-exploit campaigns regardless of your site's traffic or popularity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-24973 is a reflected Cross Site Scripting (XSS) vulnerability in the WordPress CitiLights Theme up to version 3.7.1. Detection typically involves monitoring for malicious script injections or unusual HTTP requests containing suspicious payloads.
While no specific commands are provided in the resources, common detection methods include using web application scanners or manual testing by sending crafted requests to the affected endpoints to check for script execution.
Additionally, network monitoring tools can be used to inspect incoming HTTP requests for suspicious parameters that might trigger the reflected XSS.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step is to update the WordPress CitiLights Theme to version 3.7.2 or later, which contains the patch for this vulnerability.
Until the update can be applied, Patchstack provides mitigation rules and automated solutions to block attacks exploiting this vulnerability.
It is strongly advised to implement these mitigations promptly to protect the website from potential mass-exploit campaigns.