The flaw originates from improper neutralization of user input during page rendering in the WordPress TheBi theme. It enables an attacker to inject arbitrary JavaScript that executes in a victim’s browser when the corresponding page is displayed. Attackers can leverage this to steal session cookies, deface content, or deliver malware. The vulnerability affects the theme as well as any earlier releases, meaning that sites running the vulnerable theme are exposed to the potential of code injection within the rendered page. The likely attack vector involves a crafted link that, when visited by a user, triggers the malicious payload; this is inferred from the reflected nature of the XSS and the requirement for user interaction.

All installations of the foreverpinetree TheBi theme with version 1.0.5 or older are impacted. Sites that use this theme and have not applied a later update are therefore at risk.

The CVSS score of 7.1 indicates a high severity flaw. The EPSS metric of less than 1% suggests the likelihood of exploitation in the immediate future is low, and the vulnerability does not appear in CISA's KEV catalog. Typical exploitation would involve a malicious or crafted link that, when followed by a victim, causes the reflected payload to execute. This approach requires user interaction, and is inferred from the nature of reflected XSS; attackers do not need elevated privileges on the host. The threat is confined to user interactions with inadvertently loaded content; attackers do not appear to require elevated privileges on the host.