The theme does not sanitise the {id,datafilter[type],…} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
A threat actor can collect the nonce value on the main webpage by searching for it on the ajax_var_more call: var ajax_var_more = {“url”:“https://soledaddemo.pencidesign.net/wp-admin/admin-ajax.php”,“nonce”:“d6c491629c”,“errorPass”:"
Password does not match the confirm password</p>",“login”:“Email Address”,“password”:“Password”,“headerstyle”:“default”}; And then can create a webpage redirecting the user to a compromised version of the site such as: