includes/theme-functions.php in the OneTone theme up to and including 3.0.6 for WordPress has multiple stored XSS issues.
mageewp onetone