CVE Catalog

CVE-2026-6268

High
Published: Translated: NVD NIST

Summary

The EventPress WordPress theme before version 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.

Risk Assessment

Attackers can exploit this vulnerability to inject malicious JavaScript code, potentially leading to session hijacking or other unwanted actions.

Recommendation

It is recommended to update the EventPress theme to version 22.2 or later to mitigate this vulnerability.

Original NVD description (English source)

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS