Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through <= 3.9.0.
Published: 2026-03-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting (DOM-Based)
Action: Patch
AI Analysis

Impact

The Marketing Fire Editorial Calendar WordPress plugin contains improper neutralization of input during web page generation, which allows DOM-based XSS. When an affected page is rendered in a victim’s browser, an attacker could inject arbitrary script, potentially executing malicious JavaScript in the context of the site. The vulnerability is identified by CWE-79.

Affected Systems

Any WordPress site running the Editorial Calendar plugin from any version through 3.9.0 is vulnerable. The vendor 'Marketing Fire' lists the product 'Editorial Calendar' as affected in this version range.

Risk and Exploitability

The CVSS v3 score of 6.5 indicates a Medium severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not included in CISA’s KEV catalog. Exploitation is likely remote and would require the victim to load an affected page, typically via a crafted link or social‑engineering technique, to trigger the injected script. Based on typical XSS consequences, this could enable an attacker to steal session cookies, capture credentials or perform other client‑side malicious actions.

Generated by OpenCVE AI on March 17, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Editorial Calendar plugin to the latest available version; the vendor may have a patch that addresses the XSS flaw.
  • If an upgrade is not yet possible, disable or remove the plugin from the WordPress installation to prevent exposure.
  • Regularly check the vendor’s security advisories for updates or additional mitigations.

Generated by OpenCVE AI on March 17, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Marketing Fire
Marketing Fire editorial Calendar
Wordpress
Wordpress wordpress
Vendors & Products Marketing Fire
Marketing Fire editorial Calendar
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through <= 3.9.0.
Title WordPress Editorial Calendar plugin <= 3.9.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Marketing Fire Editorial Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:58.960Z

Reserved: 2026-03-12T11:10:53.774Z

Link: CVE-2026-32361

cve-icon Vulnrichment

Updated: 2026-03-16T14:53:52.868Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:49.983

Modified: 2026-03-16T15:16:22.650

Link: CVE-2026-32361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:58:56Z

Weaknesses