Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.
AnalysisAI
Reflected cross-site scripting in the EventPress WordPress theme (all versions before 22.2) lets unauthenticated attackers inject arbitrary JavaScript by abusing the unsanitized 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler, which echoes the value back into the response without escaping. An attacker who lures a logged-in user (typically an administrator working in the Customizer/admin context) to a crafted link executes script in that user's session, enabling actions such as session/cookie theft or admin-context operations. EPSS exploitation probability is very low (0.05%, 17th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The flaw lives in a WordPress theme AJAX endpoint registered through WordPress's admin-ajax.php mechanism (the eventpress_customizer_notify_dismiss_action handler, tied to the theme Customizer's notification-dismiss feature). User-supplied input via the 'id' request parameter is reflected directly into the HTTP response body without sanitization or output escaping, the textbook root cause of CWE-79 (Improper Neutralization of Input During Web Page Generation). Because WordPress AJAX actions prefixed with wp_ajax_nopriv_ are reachable without authentication, the handler is exposed to anonymous requests, and the absence of an escaping function (e.g., esc_html/esc_attr) on output is what turns reflected input into executable markup in the victim's browser.
RemediationAI
Vendor-released patch: 22.2 - update the EventPress theme to version 22.2 or later, which adds the missing sanitization/escaping on the reflected 'id' value. Consult the WPScan advisory at https://wpscan.com/vulnerability/77192aeb-8e4b-4057-b5d7-2b95da634edd/ for confirmation of the fixed release. If immediate upgrade is not possible, deploy compensating controls: place a WAF rule to block or strip script-like payloads and angle brackets in the 'id' parameter on requests to admin-ajax.php for the eventpress_customizer_notify_dismiss_action action (trade-off: may break the legitimate dismiss feature and can be bypassed by encoding tricks), and restrict access to /wp-admin/ and admin-ajax.php by IP allowlisting where feasible (trade-off: hampers remote administrators). Reflected XSS still requires tricking an authenticated user, so reinforce admin awareness about clicking untrusted links and consider a strict Content-Security-Policy that disallows inline script (trade-off: may interfere with plugins/themes that rely on inline JavaScript).
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32097
GHSA-2m2r-cm3x-6c7x