Home

Description

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.

PUBLISHED Reserved 2026-04-14 | Published 2026-05-27 | Updated 2026-05-27 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
unaffected

Any version before 22.2
affected

Credits

Mustafa Ahmed finder

WPScan coordinator

References

wpscan.com/...rability/77192aeb-8e4b-4057-b5d7-2b95da634edd/ exploit vdb-entry technical-description

cve.org (CVE-2026-6268)

nvd.nist.gov (CVE-2026-6268)

Download JSON