CVE-2026-6268

HIGH 7.1

EventPress < 22.2 – Reflected Cross-Site Scripting

CVSS Score

7.1

EPSS Score

0.1%

EPSS Percentile

17th

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.

Vendor	unknown
Product	eventpress
Published	May 27, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for unknown eventpress

Be the first to know when new high vulnerabilities affecting unknown eventpress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / EventPress

0 < 22.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/77192aeb-8e4b-4057-b5d7-2b95da634edd/

Credits

Mustafa Ahmed WPScan