This vulnerability in BuddhaThemes HYDRO (<= 2.8) involves improper neutralization of input during web page generation, resulting in reflected Cross-site Scripting (XSS). An attacker can craft a malicious link that, when visited by a user, causes arbitrary script execution in the user's browser. The CVSS 3.1 score is 7.1 (High), with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability rated as low.

Successful exploitation can allow an attacker to execute arbitrary scripts in the context of the victim's browser session, potentially leading to theft of sensitive information, session hijacking, or other malicious actions affecting confidentiality, integrity, and availability at a low level. The scope is changed, indicating the vulnerability affects resources beyond the initially vulnerable component.

Patch status is not yet confirmed — no official patch or vendor advisory is currently available. Users should monitor BuddhaThemes communications for updates and apply any forthcoming patches promptly. In the meantime, consider implementing web application firewall (WAF) rules to detect and block reflected XSS attempts if possible.