Impact
A reflected Cross‑Site Scripting flaw exists in Themify Folo versions 1.9.6 and earlier that allows an attacker to embed malicious JavaScript in the output of a WordPress site. The flaw is an improper neutralization of input during web page generation and is classified as CWE‑79. If exploited, it can enable the attacker to execute arbitrary client‑side code in the browsers of visitors who view a crafted page, potentially allowing defacement, phishing, or the inclusion of malware on visited sites. The vulnerability is confined to data that is part of the request and echoed back in the response, so no local privileges are required.
Affected Systems
WordPress installations that use the Themify Folo theme and are running version 1.9.6 or any earlier release are affected. The issue applies to all releases of the theme available up to and including 1.9.6, regardless of WordPress core version.
Risk and Exploitability
The CVSS v3 score of 7.1 indicates a high severity for remote exploitation via crafted input. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, implying that a widespread, publicly known exploit is not yet documented. The attack vector is remote, relying on the construction of URLs or form submissions that embed malicious scripts which are then rendered by the susceptible theme during page generation.
OpenCVE Enrichment