CVE-2025-67555

Vulnerability

Description A stored cross-site scripting (XSS) vulnerability exists in UseStrict's Calendly Embedder plugin for WordPress, versions through 1.1.7.2. The plugin fails to properly neutralize input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript. This vulnerability is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation) [1].

Exploitation

Prerequisites Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a malicious link or submitting a crafted form. The attacker must have contributor-level access or higher to inject the payload, which then becomes stored and executed when other users visit affected pages. The CVSS v3 base score is 5.9, reflecting medium severity [1].

Impact

Successful exploitation enables an attacker to execute malicious scripts in the context of a victim's browser. This can lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive information. The vulnerability is reportedly used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The plugin vendor has released version 1.2 which resolves the issue. Users are strongly advised to update immediately. Those unable to update should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].