Impact
This vulnerability is an unauthenticated reflected cross‑site scripting flaw present in the LMS WordPress theme prior to version 9.8. An attacker can supply crafted input that the theme directly echoes back to the browser, allowing the execution of arbitrary client‑side script. The weakness is a classic input validation flaw (CWE‑79) that compromises the confidentiality, integrity, and availability of users’ browsing sessions.
Affected Systems
The LMS WordPress theme from DesignThemes is affected. Versions up to and including 9.7 are vulnerable; the only publicly documented mitigation is to install a version newer than 9.7. No other vendors or products are listed as impacted.
Risk and Exploitability
The CVSS score of 7.1 classifies the issue as high severity. EPSS is not available, so it is unclear how frequently exploitation attempts are observed. The vulnerability is not recorded in CISA’s KEV catalog. The attack vector is inferred to be remote, via a crafted request to the theme’s page, because the flaw is unauthenticated and reflected.
OpenCVE Enrichment