Improper Neutralization of Input During Web Page Generation is a Stored Cross‑Site Scripting flaw that enables attackers to inject malicious JavaScript into content managed by the UX‑themes Flatsome theme. The flaw exists in all releases through version 3.20.5, allowing any user with content‑submission rights to embed scripts that are rendered unescaped for all site visitors. Successful exploitation could allow session hijacking, defacement, or execution of arbitrary client‑side code, compromising confidentiality, integrity, and availability of the site.

WordPress installations that use the Flatsome theme version 3.20.5 or earlier are vulnerable. The vulnerability covers the entire range from the earliest releases through the listed maximum version, affecting every instance of the theme regardless of additional plugins or configuration.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is less than 1 %, suggesting a low probability of observed exploitation. The flaw is not listed in the CISA KEV catalog. The likely attack vector is inferred to be through any feature of the theme that accepts user‑generated content and renders it without proper escaping—such as product descriptions, page content, or custom fields—requiring only standard content‑creation permissions and no elevated privileges. Though exploitation is not imminent, the stored nature of the XSS means all users who view the affected content are vulnerable, warranting prompt remediation.