Description
The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting.
Proof of Concept
https://example.com/wp-admin/admin-ajax.php?action=cb_s_a&cbi=