An improper neutralization of input during web page generation creates a reflected XSS flaw that allows an attacker to inject malicious scripts through user input fields handled by the Electrician theme. Because the vulnerability lies in output escaping, an attacker could run arbitrary JavaScript in the victim’s browser, potentially stealing session cookies, defacing content, or redirecting users to phishing sites. The weakness is classified as CWE‑79.

The Electrician – Electrical Service WordPress theme from vergatheme, any version from not otherwise specified up to and including 1.0, is affected. Any WordPress installation using this theme within that version range is susceptible.

The CVSS score of 7.1 indicates a high severity with potential impact on confidentiality, integrity, and availability through client‑side attacks. The EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog, reducing immediate systemic threat. However, because the flaw is reflected XSS, it can be triggered remotely by a malicious link or embedded content, meaning any user who visits a page rendered by the theme could be affected. The risk remains significant enough to warrant timely patching.