Impact
Unauthenticated Cross Site Scripting vulnerability exists in all releases of the Fitness Zone WordPress Theme up to and including version 5.7. The flaw permits arbitrary JavaScript to be injected into the theme’s rendered page output, enabling the attacker to execute code within the context of any user who visits the affected page. This defect is identified as a Classic XSS (CWE-79).
Affected Systems
All WordPress sites that employ Designthemes Fitness Zone WordPress Theme version 5.7 or older are impacted; the vulnerability is independent of the WordPress core version or other plugins.
Risk and Exploitability
With a CVSS score of 7.1, the flaw is considered moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through unauthenticated access – a malicious payload can be embedded and delivered to any visitor who loads a page that uses the vulnerable theme output. Based on the description, it is inferred that any user visiting the compromised page may be exposed to the injected script.
OpenCVE Enrichment