The vulnerability arises from improper neutralization of input during web page generation in the ThemeGoods Musico theme, allowing an attacker to embed malicious scripts that are reflected in the browser. This reflected cross‑site scripting can enable the execution of arbitrary JavaScript in a victim’s browser, potentially leading to session hijacking, credential theft, or defacement of the site. The weakness is characterized as a client‑side injection flaw.

The defect affects the WordPress Musico theme by ThemeGoods. Any WordPress installation that uses this theme version prior to 3.4.5 is vulnerable. Versions 3.4.5 and later contain the fix.

This flaw carries a CVSS score of 7.1, indicating a high severity with potential for serious impact on confidentiality and integrity. The EPSS score of less than 1% suggests a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is reflected XSS, requiring an attacker to craft a malicious link or payload that a victim opens. If successfully exploited, the attacker could run arbitrary scripts in the victim’s browser, enabling session hijack or data theft, although the vulnerability is not a remote code execution.