WordPress sites using the AmentoTech Doctreat theme up to version 1.6.7 are vulnerable to a reflected cross‑site scripting flaw. The theme fails to properly neutralize user‑supplied input that is echoed back in page output, allowing an attacker to inject malicious JavaScript. An attacker could coerce a victim to visit a crafted URL that executes arbitrary scripts in the victim's browser, potentially stealing session cookies, performing phishing attacks, or redirecting to malicious content. The vulnerability is classified as CWE‑79 and could lead to significant confidentiality and integrity compromise for affected users.

AmentoTech’s Doctreat WordPress theme is affected. All installations of the theme through version 1.6.7, including any non‑specific release versions, are vulnerable. WordPress sites that rely on this theme, regardless of other plugins or versions, are at risk until the theme is upgraded past 1.6.7.

The CVSS score of 7.1 indicates a high‑level severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the short term. The flaw is not listed in the CISA KEV catalog. Attackers would need to entice a victim to click a malicious link or otherwise supply crafted input that is reflected in the page. Exploitation relies on victim interaction and is not automatically actionable from the server side. Nonetheless, the potential impact on user data and site reputation warrants prompt action.