Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bramwaas Simple Google Calendar Outlook Events Block Widget simple-google-icalendar-widget allows Stored XSS.This issue affects Simple Google Calendar Outlook Events Block Widget: from n/a through <= 2.5.0.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lets an attacker inject malicious JavaScript into the plugin’s HTML output, resulting in stored XSS; when a browser renders a page that includes the widget, the attacker’s script executes with the privileges of the page’s user, allowing data theft, session hijacking, or further malicious actions.

Affected Systems

WordPress sites using the bramwaas Simple Google Calendar Outlook Events Block Widget plugin version 2.5.0 or earlier are vulnerable; the vulnerability was identified in all releases up to and including 2.5.0 and is fixed in later versions (2.6.0+).

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability. The EPSS score of <1% suggests a low probability of exploitation at the time of analysis, and the issue is not listed in CISA’s KEV catalog. Likely exploitation would involve an attacker with write access to the plugin’s configuration or event data, inserting payloads that are stored and rendered on page load, thereby compromising any user who views a page that displays the widget.

Generated by OpenCVE AI on May 1, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 2.6.0 or newer
  • If a plugin update cannot be applied immediately, disable or remove the widget from all pages until a patch is available
  • Implement a Content Security Policy that disallows inline scripting and restricts script sources to trusted origins
  • Restrict access to the plugin’s configuration area to trusted administrators and validate all input to prevent injection

Generated by OpenCVE AI on May 1, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14967 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A.H.C. Waasdorp Simple Google Calendar Outlook Events Block Widget allows Stored XSS.This issue affects Simple Google Calendar Outlook Events Block Widget: from n/a through 2.5.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A.H.C. Waasdorp Simple Google Calendar Outlook Events Block Widget allows Stored XSS.This issue affects Simple Google Calendar Outlook Events Block Widget: from n/a through 2.5.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bramwaas Simple Google Calendar Outlook Events Block Widget simple-google-icalendar-widget allows Stored XSS.This issue affects Simple Google Calendar Outlook Events Block Widget: from n/a through <= 2.5.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A.H.C. Waasdorp Simple Google Calendar Outlook Events Block Widget allows Stored XSS.This issue affects Simple Google Calendar Outlook Events Block Widget: from n/a through 2.5.0.
Title WordPress Simple Google Calendar Outlook Events Block Widget plugin <= 2.5.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.368Z

Reserved: 2025-01-07T10:22:25.313Z

Link: CVE-2025-22497

cve-icon Vulnrichment

Updated: 2025-03-27T16:03:24.976Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T16:15:27.963

Modified: 2026-06-17T08:47:46.420

Link: CVE-2025-22497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:45:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')