Description
The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-19
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The vulnerability lies in the calendly shortcode of the EMC – Easily Embed Calendly Scheduling plugin for WordPress. Because user supplied attributes are not properly sanitized or escaped, an authenticated contributor‑level user can inject arbitrary JavaScript that is stored in the post content. When an affected page is later displayed, the injected script will execute in the context of any visitor, potentially allowing credential theft, defacement, or other malicious actions. This flaw is classified under CWE‑79.

Affected Systems

WordPress sites that have installed the EMC – Easily Embed Calendly Scheduling plugin in version 4.4 or earlier are affected. The issue exists in all plugin releases up through 4.4, irrespective of the WordPress core version. Users with contributor or higher privileges can exploit the flaw because they can edit the content that contains the shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a legitimate WordPress account with at least contributor rights and the ability to edit posts or pages that use the calendly shortcode. Once the payload is stored, any visitor to the affected page will be exposed to the injected script, making the attack highly effective against users who view the malicious content.

Generated by OpenCVE AI on April 19, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EMC – Easily Embed Calendly Scheduling plugin to the latest available version, which removes the improper sanitization and escaping of the shortcode attributes.
  • If an upgrade cannot be performed immediately, disable or remove the shortcode functionality for contributors and restrict the plugin’s use to administrators or trusted users only.
  • Implement a Content Security Policy on the site that restricts the execution of inline scripts and reduces the impact of any remaining stored XSS payloads.

Generated by OpenCVE AI on April 19, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title EMC Scheduling Manager <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via calendly Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-19T03:26:14.765Z

Reserved: 2026-01-12T22:36:55.885Z

Link: CVE-2026-0868

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-19T04:16:10.670

Modified: 2026-04-19T04:16:10.670

Link: CVE-2026-0868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-19T05:30:15Z

Weaknesses