Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through <= 1.5.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored XSS flaw in the WP FullCalendar plugin up to and including version 1.5. Attackers can inject malicious scripts that are rendered in the browser of any visitor to a page that uses the plugin. This can lead to cookie theft, session hijacking, or other client‑side compromise, as the script runs with the privileges of the site’s users. The weakness is classified as CWE‑79 – Improper Neutralization of Input During Web Page Generation.

Affected Systems

WP FullCalendar is distributed by Marcus (aka @msykes). All WordPress sites that install this plugin with any release up to and including 1.5 are potentially affected, as the vulnerability spans from the first release through version 1.5.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is currently low. The plugin is not listed in CISA’s KEV catalog. The most likely attack path involves an attacker inserting malicious content via the plugin’s input interface (e.g., event descriptions); any user who loads the affected page will execute the injected script. The required conditions and exact scope are not explicitly stated in the advisory, but the stored nature of the flaw implies that content is retained and displayed without proper sanitization.

Generated by OpenCVE AI on May 1, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP FullCalendar to a version newer than 1.5 or remove the plugin from the site.
  • If an upgrade is not immediately possible, restrict or disable the plugin’s input fields to prevent new malicious content from being stored.
  • Verify that no existing malicious scripts remain in plugin‑managed content and sanitize any retained entries manually before a patch can be applied.

Generated by OpenCVE AI on May 1, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2680 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through 1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite WP FullCalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through 1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through 1.5.

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite WP FullCalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through 1.5.
Title WordPress WP FullCalendar plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Pixelite Wp Fullcalendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.682Z

Reserved: 2025-01-02T12:02:05.150Z

Link: CVE-2025-22261

cve-icon Vulnrichment

Updated: 2025-01-07T15:50:57.194Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:13.290

Modified: 2026-04-23T15:22:54.887

Link: CVE-2025-22261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses