PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6268 EventPress CVE debrief

A reflected cross-site scripting (XSS) vulnerability exists in the EventPress WordPress theme prior to version 22.2. The flaw resides in the `eventpress_customizer_notify_dismiss_action` AJAX handler, which fails to sanitize or escape the 'id' parameter before reflecting it in the response. Unauthenticated attackers can exploit this to execute malicious scripts in the context of logged-in users' browsers. The vulnerability was disclosed on 2026-05-27 and is documented in WPScan's vulnerability database. No CISA KEV listing or known ransomware campaign use has been identified.

Vendor
EventPress
Product
EventPress WordPress Theme
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using EventPress theme; security teams monitoring WordPress plugin/theme vulnerabilities; developers maintaining custom AJAX handlers in WordPress themes

Technical summary

The EventPress theme's `eventpress_customizer_notify_dismiss_action` AJAX endpoint accepts an 'id' parameter that is output without sanitization or escaping, enabling reflected XSS. Attackers can craft malicious URLs containing JavaScript payloads in the 'id' parameter that execute when a logged-in user visits the link. The vulnerability requires user interaction (clicking a malicious link) but can compromise administrator sessions.

Defensive priority

medium

Recommended defensive actions

  • Update EventPress WordPress theme to version 22.2 or later
  • Implement Web Application Firewall (WAF) rules to filter malicious 'id' parameter payloads in AJAX requests
  • Review and sanitize all user-supplied parameters in custom AJAX handlers
  • Conduct security review of customizer notification dismissal functionality
  • Monitor for suspicious AJAX requests to `eventpress_customizer_notify_dismiss_action` endpoint

Evidence notes

Vulnerability confirmed via WPScan advisory. Vendor attribution marked as low confidence requiring review due to 'Unknown Vendor' classification in source data.

Official resources

2026-05-27