The theme contains a Brands feature which is vulnerable to stored Cross Site Scripting (XSS) within the logo URL parameter.
November 27th, 2020 - Vendor Contacted via https://themeftc.ticksy.com/submit/
November 28th-29th, 2020 - Exchanges with vendor's support but they do not understand the issue.
November 30th, 2020 - Escalated to Envato and disclosure
December 3rd, 2020 - v1.2.1 released, apparently fixing the issue (but we were not able to confirm)