The Anih - Creative Agency WordPress Theme contains a stored cross-site scripting vulnerability due to improper neutralization of input during web page generation. Authenticated users with administrator privileges can inject arbitrary scripts via admin settings because of an incomplete blacklist and insufficient input sanitization and output escaping. This vulnerability affects multi-site WordPress installations or those with unfiltered_html disabled. The CVSS 3.1 base score is 5.5, indicating a medium severity impact with network attack vector, low attack complexity, and high privileges required. No patch or official fix is currently available, and no known exploits have been documented.

An authenticated attacker with administrator-level permissions can inject malicious scripts into pages via the theme's admin settings. These scripts execute when other users access the affected pages, potentially leading to information disclosure or session hijacking within the scope of the affected WordPress multi-site or restricted unfiltered_html environments. The impact is limited to confidentiality and integrity with no direct availability impact. The vulnerability requires high privileges and does not affect single-site installations or those with unfiltered_html enabled.

No official patch or fix is currently available for this vulnerability. Users should monitor the theme vendor's advisories for updates. Until a fix is released, restrict administrator access to trusted users only and consider disabling multi-site installations or enabling unfiltered_html capability if feasible. Review and sanitize any admin settings inputs manually to reduce risk. Avoid exposing affected pages to untrusted users. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.