The WordPress OneTone theme, which has 20,000+ active installations, is prone to an unauthenticated settings import vulnerability that could lead to multiple stored XSS in version 3.0.6 and below. The issue was reported to the wordpress.org theme team on September 11, 2019 and the theme was permanently removed from the repo in October 10, 2019.
