The vulnerability originates from improper neutralization of input during web page generation, enabling a reflected cross‑site scripting condition in the Starto theme. An attacker can embed malicious scripts through unfiltered query parameters or form inputs, potentially leading to theft of browser session data, credential hijacking, defacement of the site, or the propagation of malware to visitors.

The issue affects any installation of ThemeGoods Starto for WordPress versions prior to 2.2.5, namely any Starto theme instance that has not been updated to the minimum patched release. No specific WordPress core versions are cited, but the theme itself is the point of exploitation.

The CVSS score of 7.1 indicates moderate‑to‑high severity. The EPSS score of less than 1% signifies a very low likelihood of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would likely craft a malicious URL or form submission targeting a page rendered by the vulnerable theme; a successful injection could affect any user who visits the compromised page, causing integrity and confidentiality losses. Therefore, while the risk of exploitation is currently low, the potential impact warrants timely remediation.