XSS vulnerability in multiple premium WordPress themes

According to my tests, the following premium WordPress themes by Flow / Devatic are affeted by a reflected Cross-site Scripting (XSS) vulnerability:

• Daisho
• Konzept
• TheAgency
• Sparky
• PictureFactory
• Paramount
• Essence
• Explicit
• Eunice
• Blaze
• Brisk
• Shapeless

Developer status: notified. Developer response: considered as a minor issue.

Screen-shot of the Blaze theme XSS vulnerability:

 
According to developer's Themeforest profile, 5482 sales have been completed. Potential number of affected customers is however unknown. I tested 26 separate websites using Flow/Devatic themes. Most of the sites are using WordPress version 3.4.x and at least two are using the latest version. All tested sites were vulnerable to reflected Cross-site Scripting.