CVE-2026-32411

The Embed Calendly plugin for WordPress versions up to and including 4.4 fails to properly neutralize user input during web page generation, leading to a stored cross-site scripting (XSS) vulnerability. This improper input handling allows an attacker to inject arbitrary scripts that are executed when other users view the affected page [1].

Exploitation requires a user with certain privileges to perform an action, but the vulnerability is accessible to authenticated users with lower-level roles. Once triggered, the injected script persists in the application, affecting any visitor to the compromised page [1].

The impact of successful exploitation includes the ability to inject malicious scripts such as redirects, advertisements, or other HTML payloads. These scripts execute in the context of the victim's browser, potentially leading to session hijacking, defacement, or further compromise [1].

The vulnerability is addressed in version 4.5 of the plugin. Users are strongly advised to update to this or a later version immediately. Patchstack users can enable auto-updates for vulnerable plugins. Given that this type of issue is used in mass-exploit campaigns, prompt mitigation is recommended [1].