Impact
An unauthenticated reflected Cross Site Scripting flaw exists in WordPress Avante theme versions prior to 3.0.5. The flaw is caused by input parameters that are incorporated into page output without proper sanitization. Based on the description, it is inferred that an attacker could inject arbitrary JavaScript that is executed in the victim’s browser when the URL is visited. This type of weakness corresponds to CWE‑79. The CVSS score of 7.1 indicates high severity, meaning the flaw can potentially compromise confidentiality or integrity of the user session.
Affected Systems
Sites running ThemeGoods Avante theme older than 3.0.5 are affected. The vulnerability is independent of the WordPress core version and applies to any environment that uses the unpatched theme. No other themes or plugins are specified as impacted.
Risk and Exploitability
The CVSS score of 7.1 classifies the flaw as high. The EPSS score is not available, so the current likelihood of exploitation remains uncertain. The flaw is not listed in any KEV catalog. The likely attack vector is a remote unauthenticated user delivering a crafted link that includes malicious query parameters; the victim must simply click the link to trigger the reflected script. Because the exploit requires only a single URL, the difficulty is low, making the potential for exploitation moderate to high if an attacker is motivated.
OpenCVE Enrichment