Citilights
Monthly
A PHP Object Injection vulnerability exists in NooTheme CitiLights WordPress theme through version 3.7.1, stemming from unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious operations depending on available gadget chains in the WordPress environment. The vulnerability was reported by Patchstack and affects all versions up to and including 3.7.1; no CVSS score, EPSS data, or KEV status is currently available, though the nature of object injection vulnerabilities typically permits unauthenticated exploitation.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme CitiLights WordPress theme versions up to and including 3.7.1, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in victims' browsers. An attacker can craft malicious URLs containing JavaScript payloads and trick users into clicking them, potentially leading to session hijacking, credential theft, or malware distribution.
A PHP Object Injection vulnerability exists in NooTheme CitiLights WordPress theme through version 3.7.1, stemming from unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious operations depending on available gadget chains in the WordPress environment. The vulnerability was reported by Patchstack and affects all versions up to and including 3.7.1; no CVSS score, EPSS data, or KEV status is currently available, though the nature of object injection vulnerabilities typically permits unauthenticated exploitation.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme CitiLights WordPress theme versions up to and including 3.7.1, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in victims' browsers. An attacker can craft malicious URLs containing JavaScript payloads and trick users into clicking them, potentially leading to session hijacking, credential theft, or malware distribution.