CVE-2026-6268

Vulnerability

The EventPress WordPress theme prior to version 22.2 does not sanitize or escape the id parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it in the response [1]. This allows unauthenticated attackers to inject arbitrary JavaScript into the response of the handler.

Exploitation

An unauthenticated attacker can craft a malicious URL with a JavaScript payload in the id parameter. By convincing a logged-in WordPress user (e.g., an administrator) to visit the crafted URL, the AJAX handler will reflect the unsanitized payload, causing the script to execute in the victim's browser context [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript within the victim's authenticated session. This can lead to session hijacking, unauthorized actions, or theft of sensitive information, depending on the privileges of the compromised user [1].

Mitigation

The vulnerability is addressed in version 22.2 of the EventPress theme. Users should update to this version or later immediately. No workarounds have been disclosed [1].