Any authenticated user can inject malicious code using the parameter contact.php?theme=inject>
resulting in a Reflected XSS vulnerability.
The flaw arises because the parameter hasn’t been properly sanitised, which might result in malicious code being injected and executed on the target’s browser.