This CVE describes a basic cross‑site scripting flaw in the SpabRice Nyla WordPress theme, versions up through 1.7. The vulnerability stems from the theme's failure to neutralize script‑related HTML tags within rendered shortcodes, allowing attackers to inject malicious code into web pages. The flaw is classified as CWE‑80, where improper input sanitization permits arbitrary injection of executable scripts that can compromise user sessions, data integrity, and site reputation.

The issue affects every deployment of the Nyla theme manufactured by SpabRice that is running a version equal to or older than 1.7. Sites that have not upgraded beyond this release are therefore exposed, irrespective of other WordPress configuration or security measures.

The CVSS score of 5.3 indicates a moderate severity level, and the EPSS score is currently unavailable, suggesting no readily measurable recent exploitation activity. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker placing malicious content through the WordPress content editor or any interface that processes the theme's shortcodes; only users with permission to edit posts or pages would typically be able to inject the harmful code. Successful exploitation would enable the attacker to run arbitrary JavaScript in the context of site visitors, leading to potential credential theft or phishing. The risk is therefore primarily a code‑execution threat that could be amplified by social engineering or by the visitor’s browser context.