A stored cross-site scripting vulnerability in the Total WordPress theme (versions 2.2.1 and earlier) allows authenticated users with contributor-level access to inject malicious scripts via post titles. Those scripts execute in the browsers of visitors viewing the home blog section when a featured image is present. For organizations running WordPress sites on this theme, the primary risk is session hijacking, credential theft, or malicious redirects affecting site visitors.