This vulnerability in Kriesi Enfold theme versions <= 7.1.2 allows stored cross-site scripting due to improper input neutralization during web page generation. An attacker with low privileges and requiring user interaction can exploit this to execute arbitrary scripts in the context of the victim's browser, potentially leading to partial confidentiality, integrity, and availability impacts. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, reflecting network attack vector, low attack complexity, low privileges required, user interaction required, scope changed, and low impacts on confidentiality, integrity, and availability.

Successful exploitation can lead to execution of arbitrary scripts in users' browsers, potentially allowing theft of sensitive information, session hijacking, or other malicious actions affecting confidentiality, integrity, and availability to a limited extent. The vulnerability requires user interaction and low privileges, limiting the ease of exploitation. No known active exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution with user-generated content and consider applying temporary mitigations such as input sanitization or disabling vulnerable features if feasible. Monitor official Kriesi channels for updates.