Themes Vulnerabilities

EventPress < 22.2 – Reflected Cross-Site Scripting

Description

The theme does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.

Proof of Concept

Affects Themes

eventpress
Fixed in 22.2

References

CVE
CVE-2026-6268

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Mustafa Ahmed
Submitter
Mustafa Ahmed
Submitter website
https://fortressmssp.com
Verified
Yes
WPVDB ID
77192aeb-8e4b-4057-b5d7-2b95da634edd

Timeline

Publicly Published
2026-05-06 (about 21 days ago)
Added
2026-05-06 (about 20 days ago)
Last Updated
2026-05-06 (about 20 days ago)

Other

Published
Title
Published
2021-11-29
Title
MOLIE <= 0.5 - Reflected Cross-Site Scripting
Published
2025-06-12
Title
Responsive Blocks < 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-07-16
Title
Ultimate Addons for WPBakery Page Builder < 3.19.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-09-23
Title
Multiple Plugins by eMarket Design <= Various Versions - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-11-03
Title
Broken Link Manager <= 0.6.5 - Reflected XSS