EMC Scheduling Manager <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via calendly Shortcode
Description
The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=4.4What Changed in the Fix
Changes introduced in v4.5
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-0868 (EMC Scheduling Manager Stored XSS) ## 1. Vulnerability Summary The **EMC – Easily Embed Calendly Scheduling Features** plugin (versions <= 4.4) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[calendly]` shortcode. The vulnerability aris…
Show full research plan
Vulnerability Research Plan: CVE-2026-0868 (EMC Scheduling Manager Stored XSS)
1. Vulnerability Summary
The EMC – Easily Embed Calendly Scheduling Features plugin (versions <= 4.4) is vulnerable to Stored Cross-Site Scripting (XSS) via the [calendly] shortcode. The vulnerability arises because user-supplied attributes in the shortcode are insufficiently sanitized and escaped before being rendered. Specifically, in the popup_script method, attributes like branding are concatenated directly into a JavaScript block without quotes or proper JavaScript escaping, allowing an attacker to break out of the JS object and execute arbitrary code.
2. Attack Vector Analysis
- Endpoint: WordPress Post/Page Editor (Gutenberg or Classic).
- Vulnerable Attribute:
branding(and potentiallybutton_colorvia attribute breakout). - Authentication Level: Contributor or above (any user capable of using shortcodes).
- Preconditions: The plugin must be active. The exploit executes when any user (including administrators) views the page containing the malicious shortcode.
3. Code Flow
- Entry Point: A user with Contributor+ permissions saves a post containing the
[calendly]shortcode. - Shortcode Registration:
embed-calendly-scheduling.phpregisters the shortcode:add_shortcode('calendly', array('EMCS_Shortcode
Summary
The EMC Scheduling Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [calendly] shortcode in versions up to 4.4. This occurs because the plugin fails to properly sanitize and escape shortcode attributes like 'branding' and 'button_color' before rendering them directly into a JavaScript block, allowing Contributor-level attackers to execute arbitrary scripts in a victim's browser.
Vulnerable Code
// includes/embed.php around line 211 private function popup_script($atts) { return '<div id="calendly-popup-button-widget" data-url="' . esc_attr($this->url) . '" style="display: none"><script>window.onload = function() { Calendly.initBadgeWidget({ url: \'' . $this->url . '\', text: \'' . $atts[\'text\'] . '\', color: \'' . $atts[\'button_color\'] . '\', textColor: \'' . $atts[\'text_color\'] . '\', branding: ' . $atts['branding'] . ' });}</script></div>'; } --- // includes/shortcode.php around line 43 $branding = (!empty($atts['branding'])) ? sanitize_text_field($atts['branding']) : 'false'; // ... attributes are passed to EMCS_Embed without further context-specific escaping for JS contexts
Security Fix
@@ -211,9 +190,30 @@ private function popup_script($atts) { - return '<div id="calendly-popup-button-widget" data-url="' . esc_attr($this->url) . '" style="display: none"><script>window.onload = function() { Calendly.initBadgeWidget({ url: \'' . $this->url . '\', text: \'' . $atts[\'text\'] . '\', - color: \'' . $atts[\'button_color\'] . '\', textColor: \'' . $atts[\'text_color\'] . '\', - branding: ' . $atts['branding'] . ' });}</script></div>'; + $url = esc_js($this->url); + $text = esc_js($atts['text']); + $color = esc_js($atts['button_color']); + $textColor = esc_js($atts['text_color']); + $branding = esc_js($atts['branding']); + + return "<div id='calendly-popup-button-widget' data-url='" . esc_attr($this->url) . "' style='display: none'> + <script> + window.onload = function() { + Calendly.initBadgeWidget({ + url: '{$url}', + text: '{$text}', + color: '{$color}', + textColor: '{$textColor}', + branding: {$branding} + }); + } + </script> + </div>"; }
Exploit Outline
1. Log in to the WordPress dashboard with at least Contributor-level permissions. 2. Create a new post or page (or edit an existing one). 3. Insert the [calendly] shortcode using a payload that breaks out of the JavaScript object context in the 'branding' attribute. For example: `[calendly url="https://calendly.com/test" type="2" button_style="2" branding="false }); alert(origin); //"] 4. Save and publish the post. 5. When an administrator or any other user views the published page, the JavaScript payload will execute in their browser context.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.