PT-2026-43496 · WordPress · Eventpress
Mustafa Ahmed
·
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-6268
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
EventPress versions prior to 22.2
Description
The EventPress WordPress theme fails to sanitize or escape the
id parameter within the 'eventpress customizer notify dismiss action' AJAX handler. This allows unauthenticated attackers to execute Reflected Cross-Site Scripting (XSS) attacks against logged-in users by outputting the unsanitized input back in the response.Recommendations
Update to version 22.2 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eventpress