CVE-2023-4995 in Embed Calendly Plugininfo

Summary

by MITRE • 10/25/2023

The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'calendly' shortcode in versions up to, and including, 3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The Embed Calendly plugin for WordPress represents a critical security vulnerability that affects versions up to and including 3.6 through a stored cross-site scripting flaw. This vulnerability resides within the plugin's handling of the 'calendly' shortcode implementation where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied attributes. The flaw specifically targets the plugin's shortcode processing functionality which allows administrators to embed Calendly scheduling elements directly into WordPress content through simple shortcode syntax.

The technical exploitation of this vulnerability occurs when authenticated attackers with contributor-level permissions or higher manipulate the calendly shortcode attributes to inject malicious javascript code. These attackers can leverage their elevated privileges to modify posts or pages containing the affected shortcode, creating stored XSS payloads that persist in the database. When other users access pages containing the injected content, the malicious scripts execute within their browser context, potentially compromising their sessions and enabling further attack vectors.

This vulnerability directly maps to CWE-79 which defines Cross-Site Scripting as a weakness where untrusted data is incorporated into web page content without proper validation or escaping. The issue demonstrates a clear failure in input validation and output encoding practices that violates fundamental web security principles. The operational impact extends beyond simple script execution as the stored nature of the vulnerability allows attackers to maintain persistent malicious payloads that can be triggered repeatedly across multiple user sessions. Attackers can potentially harvest cookies, session tokens, or perform actions on behalf of victims through this vector.

The security implications of this vulnerability are particularly concerning given that it requires only contributor-level privileges to exploit, which represents a relatively low barrier to entry for malicious actors. This access level typically allows users to create and edit posts, making the attack surface broader than initially apparent. The vulnerability creates opportunities for privilege escalation attacks where attackers can establish persistent access to WordPress installations, potentially leading to complete system compromise.

Mitigation strategies should prioritize immediate plugin updates to versions that address the XSS vulnerability through proper input sanitization and output escaping mechanisms. Organizations should implement role-based access controls to limit contributor privileges where possible and establish regular security audits of installed plugins. The remediation process should include thorough scanning of existing content for malicious payloads and implementing content security policies to reduce the impact of potential successful attacks. Additionally, administrators should consider implementing web application firewalls and monitoring for suspicious shortcode usage patterns to detect potential exploitation attempts.

Responsible

Wordfence

Reservation

09/15/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00348

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!