EPSS
Percentile
47.5%
Due to missing capability checks and security nonces, an unauthenticated attacker can use the theme options import feature to inject JavaScript code into all pages and posts of the website
blog.nintechnet.com/unauthenticated-stored-xss-vulnerability-in-wordpress-onetone-theme-unpatched/
blog.sucuri.net/2020/04/onetone-vulnerability-leads-to-javascript-cookie-hijacking.html