An improper neutralization of input during page generation leads to a stored cross‑site scripting vulnerability (CWE‑79) in the 99colorthemes RainbowNews WordPress theme. This flaw allows an attacker to inject malicious JavaScript that is persisted in the database and executed whenever a visitor loads a page that renders the affected content. The injected script can perform actions such as stealing session cookies, redirecting users, defacing the site, or delivering malware. The impact is primarily a compromise of user confidentiality and integrity, and the vulnerability can affect any user who views the compromised page.

The vulnerability is present in all releases of the RainbowNews theme up to and including version 1.0.7. WordPress installations that have deployed this theme, regardless of the WordPress core version, are affected. The issue is tied to the theme's handling of user‑supplied input, not to the underlying PHP or database layer.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS value of less than 1% suggests the likelihood of exploitation is currently low. Because the flaw is stored XSS, an attacker simply needs to supply content that will be rendered by the theme; no elevated credentials or privileged permissions are required. The flaw does not appear in the CISA KEV catalog, but the potential for widespread damage remains if an attacker targets a high‑traffic WordPress site running the affected theme.