The EventPress WordPress theme prior to version 22.2 contains a reflected XSS vulnerability (CWE-79) due to improper handling of the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler. Specifically, the parameter is neither sanitized nor escaped before being reflected in the server response, enabling attackers to craft malicious requests that execute arbitrary JavaScript in the context of logged-in users' browsers. This vulnerability requires no authentication to trigger but targets authenticated users.

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the browsers of logged-in users, potentially leading to session hijacking, unauthorized actions performed on behalf of the user, or other malicious activities within the context of the affected WordPress site. However, there is no indication of known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions before 22.2, upgrading to version 22.2 or later (once available) is recommended if the vendor releases a fix. Until then, consider applying custom input sanitization or disabling the vulnerable AJAX handler if feasible.