Several themes for WordPress have a vulnerability to Reflected Cross-Site Scripting. This could allow unauthenticated attackers to inject web scripts into pages that are executed when a user performs an action, such as clicking on a link. This vulnerability is due to a lack of input sanitization and output escaping in the ‘id’ parameter of the ‘[different-value]_customizer_notify_dismiss_action’ and ‘[different-value]_customizer_notify_dismiss_recommended_plugins’ AJAX actions. There are additional variants of these AJAX actions, such as ‘[different-value]_customizer_notify_dismiss_recommended_action_callback’ and ‘[different-value}_customizer_notify_dismiss_recommended_plugins_callback’.