An attacker can exploit the WordPress Events Calendar Plugin – connectDaily by inserting malicious script content that the plugin fails to neutralize before rendering a page. When an authorized user submits the injected payload through the plugin interface, the content is saved to the database and subsequently displayed to all site visitors, resulting in a stored cross‑site scripting vulnerability. The impact is that anyone who views the affected page could have malicious code executed in their browser, potentially leading to credential theft, session hijacking, or defacement of the site’s content.

The vulnerability affects the WordPress Events Calendar Plugin – connectDaily, version 1.5.5 and earlier. The plugin is developed by George Sexton and is commonly used to integrate web calendars into WordPress sites. Users running any of the affected releases are at risk, regardless of additional security measures deployed elsewhere.

The CVSS score of 6.5 indicates moderate severity, primarily driven by the impact on integrity and confidentiality via XSS. The EPSS score is reported as less than 1 %, suggesting very low exploitation probability at the time of assessment. The vulnerability is not listed in CISA’s KEV catalog, which further lowers the likelihood of widespread exploitation. The likely attack vector appears to be an authenticated user with access to the plugin’s administration or input areas, as inferred from the description. The CVSS score suggests moderate severity, but the exploitation probability remains very low.