Impact
Unauthorized XSS can be triggered by unauthenticated users in Enfold theme 7.1.4 or earlier. A malicious payload injected via reflected input can execute in the context of any site visitor, potentially stealing cookies, hijacking sessions, or defacing the site. This weakness is classified as CWE-79.
Affected Systems
WordPress sites that include the Enfold theme version 7.1.4 or older, as released by Kriesi. The issue affects all builds up to and including 7.1.4 and remains present until the theme is upgraded to at least 7.1.5. No other WordPress core or plugin components are mentioned as impacted.
Risk and Exploitability
The CVSS score of 7.1 signals high severity. The EPSS score of less than 1% indicates that, as of now, the risk of exploitation is low but not negligible, and the vulnerability is not in the CISA KEV catalog. An attacker can exploit this remotely by sending a crafted URL or input from a third‑party site; no prior authentication is required. Mitigation therefore centers on applying the vendor patch and encoding all user‑generated output properly.
OpenCVE Enrichment