CVE-2025-8777

The planetcalc plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.2. The vulnerability exists in the planetcalc_embed function, where the 'language' parameter is used without sufficient input sanitization or output escaping [1]. This allows an attacker to inject arbitrary web scripts that are stored on the server and executed when a user accesses the affected page.

To exploit this vulnerability, an attacker must have at least Contributor-level access to the WordPress site. The attacker can supply a malicious payload through the 'language' parameter in the shortcode. When the shortcode is rendered, the unsanitized input is output directly, leading to script execution in the context of the victim's browser [1].

The impact of successful exploitation includes the ability to execute arbitrary JavaScript in the browsers of users visiting the compromised page. This can lead to session hijacking, defacement, or redirection to malicious sites. The CVSS v3 score of 6.4 (Medium) reflects the need for authenticated access but the potential for significant harm [CVE description].

As of September 26, 2025, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue [2]. Users are advised to remove the plugin from their sites and replace it with an alternative solution, as no patched version exists.