via wordfence.com => original post link
On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical Cross-Site Scripting vulnerabilities in the Weaver Xtreme theme and the Weaver Show Posts plugin, which each have over 10,000 installations. The plugin developer responded the same day and we provided full disclosure.
Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023.
A patched version of the Weaver Show Posts plugin, 1.7, was released on April 1, 2023, while the patched version 6.2 of the Weaver Xtreme theme became available on April 5, 2023.