The vulnerability is a stored Cross‑Site Scripting flaw that allows attackers to inject malicious scripts into the output of a WordPress page that uses the UseStrict Calendly Embedder plugin. The flaw arises from improper input neutralization during web page generation, meaning data entered into the plugin can be persisted and later executed in the browser context of any user who views the affected page. The impact is that an attacker could run arbitrary JavaScript, potentially stealing credentials, session cookies, or defacing site content for any visitor to the site.

The affected product is the WordPress UseStrict Calendly Embedder plugin from UseStrict, specifically all releases from the earliest available version up through and including 1.1.7.2. WordPress administrators running this plugin in any installation are susceptible. No specific WordPress core version is required for the flaw to exist, but the plugin must be present and configured in the site environment.

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% points to a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been observed in known exploit campaigns. Attackers would likely need the ability to submit or modify content through the plugin interface, so the attack vector is essentially a stored XSS through administrative or user‑generated input. Given the medium severity and low exploitation likelihood, sites with the affected plugin should quietly monitor for suspicious activity while prioritizing remediation.