This vulnerability is an instance of improper neutralization of input during web page generation, allowing reflected XSS in the Pressroom theme from QuanticaLabs. An attacker can craft a malicious request that injects arbitrary client‑side scripts into the HTML output. If a victim visits the tampered URL, the script executes with the victim’s session context, potentially enabling credential theft, session hijacking, or defacement. The flaw resides in how the theme processes user‑generated data without proper escaping, a classic injection weakness (CWE‑79).

All installations of the QuanticaLabs Pressroom WordPress theme, including every released version from the earliest build up to and including 7.0, are affected. Any site running one of these versions is vulnerable if the theme’s uncontrolled parameters can be reflected in a browser context.

The CVSS score of 7.1 indicates a high impact vulnerability, yet the EPSS score of less than 1% suggests that exploitation attempts are expected to be rare. The vulnerability is not listed in CISA’s KEV catalog, further indicating limited known exploitation activity. The most likely attack vector is external, web‑based traffic that includes a specially crafted query string or form parameter that the theme reflects back into the page output. Since the flaw is a reflected XSS rather than a remote code execution, the attacker’s ability to compromise the server is limited, but the client‑side impact can be severe if session data is available.