CVE-2026-6268
Deferred Deferred - Pending Action
Reflected XSS in EventPress WordPress Theme

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: WPScan

Description
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6268
EUVD
EUVD-2026-32097
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eventpress eventpress to 22.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6268 is a reflected Cross-Site Scripting (XSS) vulnerability found in the EventPress WordPress theme versions before 22.2. The vulnerability arises because the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler is not properly sanitized or escaped before being included in the response.

This flaw allows unauthenticated attackers to inject malicious scripts into the response. When a logged-in user visits a specially crafted URL containing the malicious script, the script executes in their browser, potentially compromising their session or data.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of logged-in users of the affected WordPress site. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the user, or other malicious activities.

Since the attacker does not need to be authenticated, they can exploit this vulnerability remotely by tricking users into visiting crafted URLs.

Detection Guidance

This vulnerability can be detected by checking if the EventPress WordPress theme version is below 22.2 and by testing the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler for reflected Cross-Site Scripting (XSS).

A practical detection method is to send a crafted request to the AJAX handler with a script tag in the 'id' parameter and observe if the script is reflected in the response without sanitization.

  • Use curl or similar tools to send a request like: curl -G 'https://example.com/wp-admin/admin-ajax.php' --data-urlencode 'action=eventpress_customizer_notify_dismiss_action' --data-urlencode 'id=<script>alert(1)</script>'
  • Check the response for the presence of the injected script tag to confirm the vulnerability.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the EventPress WordPress theme to version 22.2 or later, where the issue has been fixed.

Until the update can be applied, consider restricting access to the AJAX handler or implementing web application firewall (WAF) rules to block malicious requests targeting the 'id' parameter.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart