The WPCal.io plugin contains an improper neutralization of user input during web page generation, resulting in a DOM‑Based Cross‑Site Scripting (XSS) flaw as classified by CWE‑79. This weakness allows a malicious actor to inject and execute arbitrary JavaScript in the context of a victim’s browser when they visit or interact with affected plugin pages. The execution environment is client side, meaning that the injected code runs with the privileges of the visiting user and could potentially read user cookies, manipulate page content, or redirect traffic.

Any installation of the WordPress revmakx WPCal.io plugin version 0.9.5.9 or earlier is vulnerable. The issue applies to all releases from the earliest available version through 0.9.5.9, so sites using older or legacy releases are also at risk. No other WordPress core components or unrelated plugins are impacted by this vulnerability.

The CVSS base score of 6.5 signifies a moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying that no widespread active exploitation has been reported. Exploitation requires a crafted request or input that reaches the plugin’s DOM handling code, typically achieved by an attacker sending a malicious link to a target user. Because the vector is client‑side, the attack relies on a victim’s interaction with the affected page. Overall, the risk remains moderate, but practical exploitation appears unlikely right now.