CVE-2026-6268
HIGH NVDCVSS Score
7.1
Severity
HIGH
Source
NVD
Published
May 27, 2026
Description
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.