CVE-2026-6268
Received Received - Intake
Reflected XSS in EventPress WordPress Theme

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: WPScan

Description
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-6268
EUVD
EUVD-2026-32097
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-6268 is a reflected Cross-Site Scripting (XSS) vulnerability found in the EventPress WordPress theme versions before 22.2. The vulnerability arises because the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler is not properly sanitized or escaped before being included in the response.

This flaw allows unauthenticated attackers to inject malicious scripts into the response. When a logged-in user visits a specially crafted URL containing the malicious script, the script executes in their browser, potentially compromising their session or data.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of logged-in users of the affected WordPress site. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the user, or other malicious activities.

Since the attacker does not need to be authenticated, they can exploit this vulnerability remotely by tricking users into visiting crafted URLs.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the EventPress WordPress theme version is below 22.2 and by testing the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler for reflected Cross-Site Scripting (XSS).

A practical detection method is to send a crafted request to the AJAX handler with a script tag in the 'id' parameter and observe if the script is reflected in the response without sanitization.

  • Use curl or similar tools to send a request like: curl -G 'https://example.com/wp-admin/admin-ajax.php' --data-urlencode 'action=eventpress_customizer_notify_dismiss_action' --data-urlencode 'id=<script>alert(1)</script>'
  • Check the response for the presence of the injected script tag to confirm the vulnerability.

What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update the EventPress WordPress theme to version 22.2 or later, where the issue has been fixed.

Until the update can be applied, consider restricting access to the AJAX handler or implementing web application firewall (WAF) rules to block malicious requests targeting the 'id' parameter.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart