The vulnerability is an improper neutralization of input during web page generation that permits reflected cross‑site scripting. When an attacker submits malicious JavaScript and the Kentha theme reflects that input back in the generated HTML without proper escaping, the victim’s browser will execute the script. Based on the nature of XSS, an attacker could potentially hijack the user’s session or collect other sensitive information, but these specific consequences are not stated explicitly in the vendor’s advisory and are inferred.

QantumThemes Kentha WordPress theme versions up to and including 4.7.2 are affected. Any WordPress installation that has Kentha installed with one of those versions is vulnerable if the theme’s input handling has not been updated.

The Exploit Prediction Scoring System indicates a very low exploit probability (<1%), and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to provide malicious input that the theme reflects back in a page, most likely through a crafted URL query string or form field. This exploitation path requires that a user visit the malicious link, so the attack relies on social engineering or user interaction, and the CVSS score of 7.1 indicates a high severity and therefore a need for remediation.