The reporter found a vulnerability in the theme being used for the WP installation. This was a followup-report on #324442. The result was a reflected XSS.
The vulnerable functionality was restricted.
Running a system which potentially carries a lot of vulnerable endpoints and bad default settings is always a risk. Moreover, keeping track of potential vulnerabilities in themes is very tedious. Hardening should always be compulsory, but may not always be straightforward. While we do our best to be proactive in running our software securely, we do occasionally hit and miss. In this case, the reporter provided excellent value both from a technical point of view as well as explaining the potential impact. A learning opportunity for the occasional reader - put effort into things that matter to the organization you are reporting to.
This bug is related to #324442. And xss in other url.
-Show spoofed content which can be used in social engineering attacks (such as fake login pages, fake invoices, face contact details, fake announcements etc.).