The vulnerability is a Cross‑Site Request Forgery flaw that permits an attacker to inject JavaScript that is stored by the WordPress Contact Form 7 Calendar plugin. When stored, the script is served to any visitor of the site, effectively producing a stored Cross‑Site Scripting (XSS) condition. This weakness, identified as CWE‑352, can enable attackers to hijack user sessions, deface the web interface, or exfiltrate data from visitors who load the compromised content.

The issue affects the harrysudana Contact Form 7 Calendar plugin for WordPress. All installations of the plugin version 3.0.1 or earlier are potentially vulnerable. No specific WordPress core version is cited, so any site running this plugin on a supported WordPress environment is impacted.

The publicly disclosed CVSS score is 7.1, indicating high severity. The EPSS score is reported as less than 1%, suggesting low but non‑zero probability of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to craft a malicious URL or form that triggers the CSRF request on a privileged user’s browser, whereby the script payload is saved by the plugin. Once stored, every visitor to the affected page will execute the injected JavaScript, giving the attacker broad reach within the user base.