Description
The planetcalc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘language’ parameter in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The planetcalc plugin for WordPress contains a stored cross‑site scripting flaw caused by insufficient input sanitization and output escaping of the language parameter. A malicious user with Contributor or higher privileges can inject arbitrary JavaScript that is persisted in the plugin’s data store and executed whenever a visitor loads the affected page. This allows attackers to run client‑side scripts capable of credential theft, session hijacking, defacement, or other malicious actions on all visitors to the compromised page.

Affected Systems

WordPress sites that have the planetcalc plugin installed, in any release equal to or older than 2.2. The vulnerability is present regardless of other plugins or configurations, and it requires the presence of a user with at least Contributor role to inject the malicious payload.

Risk and Exploitability

The CVSS score of 6.4 classifies this as a medium severity issue. The EPSS score of less than 1% suggests that widespread exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Once an injection has occurred, every site visitor to the affected page will execute the stored script, exposing the site to client‑side attacks. The attack vector demands authenticated access with at least Contributor rights, so an adversary must first compromise or impersonate a user with those privileges.

Generated by OpenCVE AI on April 21, 2026 at 02:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update planetcalc to the latest supported release (2.3 or newer) which removes the vulnerable language parameter.
  • Modify the plugin’s code to sanitize or escape content in the language field if an update is not available right away.
  • Reduce the risk by revoking Contributor or higher privileges for users that do not need them or by disabling the language option through site settings or custom code to prevent the parameter from being used.

Generated by OpenCVE AI on April 21, 2026 at 02:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31675 The planetcalc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘language’ parameter in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Planetcalc
Planetcalc planetcalc
Wordpress
Wordpress wordpress
Vendors & Products Planetcalc
Planetcalc planetcalc
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The planetcalc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘language’ parameter in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title planetcalc <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via language Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Planetcalc Planetcalc
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:23.167Z

Reserved: 2025-08-08T20:49:07.880Z

Link: CVE-2025-8777

cve-icon Vulnrichment

Updated: 2025-09-30T15:38:17.276Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:46.680

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8777

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses