HIGHCVE-2026-6268Published Modified CNA WPScan
CVE-2026-6268: EventPress < 22.2 – Reflected Cross-Site Scripting
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 22.2
- Affected Products
- 1
Fix available
22.2
Affected packages
- Unknown / EventPress< 22.2 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LReferences