The vulnerability is an Improper Neutralization of Input During Web Page Generation that allows an attacker to inject malicious scripts into a victim’s browser when the Betheme theme renders a page. This DOM‑based cross‑site scripting flaw can let the attacker execute arbitrary JavaScript in the context of the user’s session, potentially leading to cookie theft, credential compromise, or phishing attacks. The flaw does not provide remote code execution on the server side, but it can compromise user accounts and data through the browser.

muffingroup Betheme, versions from the initial release through 28.2, is vulnerable. The same issue applies to all releases up to and including 28.2 regardless of minor patching, as the description explicitly states the affected range is "from n/a through <= 28.2."

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of <1% suggests a very low but non‑zero probability of exploitation. The flaw is listed as not in the KEV catalog, implying no widespread documented exploitation as of now. The likely attack vector is a victim visiting a WordPress site that uses the vulnerable Betheme theme; the attacker can craft payloads that are executed by the browser when the page is rendered. Because the impact relies on user interaction and browser execution, the risk is chiefly to the end‑user experience rather than direct compromise of the server.