The Pie Calendar plugin for WordPress contains a DOM‑based cross‑site scripting flaw that results from user input being rendered directly into the page without proper neutralization. This flaw allows an attacker to inject malicious JavaScript that executes in the victim’s browser, potentially leading to cookie theft, session hijacking, defacement, or arbitrary actions performed on behalf of the user. The impact of the vulnerability is a compromise of confidentiality, integrity, and availability of the site’s content and user data.

The flaw exists in Jonathan Jernigan’s Pie Calendar plugin for WordPress, affecting all releases from the earliest available version up through 1.2.8 inclusive. Administrators who have deployed any of these versions should consider the plugin vulnerable until they upgrade or remove it.

With a CVSS base score of 6.5 the vulnerability is of moderate severity. The EPSS score, reported as less than 1 %, indicates that widespread exploitation is currently unlikely, and the plugin is not listed in the CISA KEV catalog, suggesting limited real‑world activity. Attackers still need victim interaction to trigger the XSS; therefore the likely attack vector is a malicious or compromised link that passes crafted data to a vulnerable page. While the risk is not immediate in all environments, the potential for credential theft and site compromise warrants timely remediation.