The Doctreat WordPress theme has an inadequate sanitization routine that fails to strip script‑related tags from output. This basic cross‑site scripting flaw (CWE‑80) permits an attacker to inject JavaScript that executes in the browsers of anyone who views the affected content. If an attacker delivers a malicious payload, they could hijack user sessions, steal login credentials, deface the site or redirect visitors to malicious sites. The vulnerability arises from the theme’s outputting of unfiltered content rather than from an underlying platform flaw.

All installations that use the AmentoTech Doctreat theme version 1.6.7 or earlier are impacted. The issue is confined to the theme itself and does not affect core WordPress, PHP, or the web server environment. Any site that renders theme‑provided content without additional filtering will be vulnerable.

The CVSS score of 6.3 signals moderate severity, while the EPSS score of less than 1% indicates a low likelihood of large‑scale exploitation at present. The flaw is not included in the CISA KEV catalog. The likely attack vector is content submission via the theme that is subsequently rendered without sanitization; an attacker would craft a post, page, or other theme content containing malicious script, which then runs in visitors’ browsers. Because it is a client‑side flaw, no privileged server access is required to exploit it.