HIGH
EventPress
CVE published 2026-05-27
CVE-2026-6268
A reflected cross-site scripting (XSS) vulnerability exists in the EventPress WordPress theme prior to version 22.2. The flaw resides in the `eventpress_customizer_notify_dismiss_action` AJAX handler, which fails to sanitize or escape the 'id' parameter before reflecting it in the response. Unauthenticated attackers can exploit this to execute malicious scripts in the context of logged-in users' browsers. [truncated]