Improper Neutralization of Input During Web Page Generation, classified as Cross-site Scripting, allows an attacker to inject malicious scripts that execute in the browsers of users who view a crafted page. The vulnerability resides in the Triss theme’s handling of user-provided data and can lead to credential theft, session hijacking, or defacement of the site when the injected script runs. The weakness aligns with CWE‑79, indicating a lack of input sanitization before rendering output.

The vulnerability affects the WordPress theme "Triss" developed by designthemes. All released versions from the initial build up to and including version 2.6 are susceptible. Users who have not upgraded beyond 2.6 are at risk while older installations are likewise potentially exposed.

The CVSS score of 7.1 marks the flaw as high severity. However, the EPSS score of less than 1% suggests few real‑world exploitation attempts are expected currently, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be reflected XSS, meaning an attacker must entice a user to click a malicious link or submit a crafted input that the theme fails to neutralize. Once the vulnerable code processes the input, the malicious script runs in the context of the affected site’s domain, granting the attacker the same privileges as the victim user.