Impact
The vulnerability is an unauthenticated Cross Site Scripting flaw that allows an attacker to inject arbitrary JavaScript into a visitor’s browser when the SpaLab theme is used. The weakness is a classic input‑validation error identified as CWE‑79.
Affected Systems
The flaw affects installations of the Designthemes SpaLab Beauty Salon WordPress Theme with versions 6.7 and earlier. Any WordPress site deploying this theme without an upgrade is susceptible, regardless of the underlying WordPress core version.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity vulnerability. EPSS is not available, but because the flaw is client‑side and does not require authentication, it can be exploited simply by an attacker directing a user to the affected site or creating a malicious link. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation reports.
OpenCVE Enrichment