CVE-2026-6268
HighSummary
The EventPress WordPress theme before version 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.
Risk Assessment
Attackers can exploit this vulnerability to inject malicious JavaScript code, potentially leading to session hijacking or other unwanted actions.
Recommendation
It is recommended to update the EventPress theme to version 22.2 or later to mitigate this vulnerability.
Original NVD description (English source)
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.

