[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7NRPQeO1cZczBIKf1fH2pa-Id6uqatKW0cxi1onLdGc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-0868","emc-scheduling-manager-authenticated-contributor-stored-cross-site-scripting-via-calendly-shortcode","EMC Scheduling Manager \u003C= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via calendly Shortcode","The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","embed-calendly-scheduling",null,"\u003C=4.4","4.5","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-18 15:07:18","2026-04-19 03:26:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd5653ebe-7145-4b1c-94f8-ca87ed0dc4f5?source=api-prod",1,[22,23,24,25,26],"changelog.txt","embed-calendly-scheduling.php","includes\u002Fembed.php","includes\u002Fshortcode.php","readme.txt","researched",false,3,"# Vulnerability Research Plan: CVE-2026-0868 (EMC Scheduling Manager Stored XSS)\n\n## 1. Vulnerability Summary\nThe **EMC – Easily Embed Calendly Scheduling Features** plugin (versions \u003C= 4.4) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[calendly]` shortcode. The vulnerability arises because user-supplied attributes in the shortcode are insufficiently sanitized and escaped before being rendered. Specifically, in the `popup_script` method, attributes like `branding` are concatenated directly into a JavaScript block without quotes or proper JavaScript escaping, allowing an attacker to break out of the JS object and execute arbitrary code.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** WordPress Post\u002FPage Editor (Gutenberg or Classic).\n* **Vulnerable Attribute:** `branding` (and potentially `button_color` via attribute breakout).\n* **Authentication Level:** Contributor or above (any user capable of using shortcodes).\n* **Preconditions:** The plugin must be active. The exploit executes when any user (including administrators) views the page containing the malicious shortcode.\n\n## 3. Code Flow\n1. **Entry Point:** A user with Contributor+ permissions saves a post containing the `[calendly]` shortcode.\n2. **Shortcode Registration:** `embed-calendly-scheduling.php` registers the shortcode:\n ```php\n add_shortcode('calendly', array('EMCS_Shortcode","The EMC Scheduling Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [calendly] shortcode in versions up to 4.4. This occurs because the plugin fails to properly sanitize and escape shortcode attributes like 'branding' and 'button_color' before rendering them directly into a JavaScript block, allowing Contributor-level attackers to execute arbitrary scripts in a victim's browser.","\u002F\u002F includes\u002Fembed.php around line 211\nprivate function popup_script($atts)\n{\n return '\u003Cdiv id=\"calendly-popup-button-widget\" data-url=\"' . esc_attr($this->url) . '\" style=\"display: none\">\u003Cscript>window.onload = function() { Calendly.initBadgeWidget({ url: \\'' . $this->url . '\\', text: \\'' . $atts[\\'text\\'] . '\\', \n color: \\'' . $atts[\\'button_color\\'] . '\\', textColor: \\'' . $atts[\\'text_color\\'] . '\\', \n branding: ' . $atts['branding'] . ' });}\u003C\u002Fscript>\u003C\u002Fdiv>';\n}\n\n---\n\n\u002F\u002F includes\u002Fshortcode.php around line 43\n$branding = (!empty($atts['branding'])) ? sanitize_text_field($atts['branding']) : 'false';\n\u002F\u002F ... attributes are passed to EMCS_Embed without further context-specific escaping for JS contexts","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fembed-calendly-scheduling\u002F4.4\u002Fincludes\u002Fembed.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fembed-calendly-scheduling\u002F4.5\u002Fincludes\u002Fembed.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fembed-calendly-scheduling\u002F4.4\u002Fincludes\u002Fembed.php\t2026-02-05 07:43:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fembed-calendly-scheduling\u002F4.5\u002Fincludes\u002Fembed.php\t2026-02-21 20:04:12.000000000 +0000\n@@ -211,9 +190,30 @@\n \n private function popup_script($atts)\n {\n- return '\u003Cdiv id=\"calendly-popup-button-widget\" data-url=\"' . esc_attr($this->url) . '\" style=\"display: none\">\u003Cscript>window.onload = function() { Calendly.initBadgeWidget({ url: \\'' . $this->url . '\\', text: \\'' . $atts[\\'text\\'] . '\\', \n- color: \\'' . $atts[\\'button_color\\'] . '\\', textColor: \\'' . $atts[\\'text_color\\'] . '\\', \n- branding: ' . $atts['branding'] . ' });}\u003C\u002Fscript>\u003C\u002Fdiv>';\n+ $url = esc_js($this->url);\n+ $text = esc_js($atts['text']);\n+ $color = esc_js($atts['button_color']);\n+ $textColor = esc_js($atts['text_color']);\n+ $branding = esc_js($atts['branding']);\n+\n+ return \"\u003Cdiv id='calendly-popup-button-widget' data-url='\" . esc_attr($this->url) . \"' style='display: none'>\n+ \u003Cscript>\n+ window.onload = function() {\n+ Calendly.initBadgeWidget({\n+ url: '{$url}',\n+ text: '{$text}',\n+ color: '{$color}',\n+ textColor: '{$textColor}',\n+ branding: {$branding}\n+ });\n+ }\n+ \u003C\u002Fscript>\n+ \u003C\u002Fdiv>\";\n }","1. Log in to the WordPress dashboard with at least Contributor-level permissions.\n2. Create a new post or page (or edit an existing one).\n3. Insert the [calendly] shortcode using a payload that breaks out of the JavaScript object context in the 'branding' attribute. For example: `[calendly url=\"https:\u002F\u002Fcalendly.com\u002Ftest\" type=\"2\" button_style=\"2\" branding=\"false }); alert(origin); \u002F\u002F\"]\n4. Save and publish the post.\n5. When an administrator or any other user views the published page, the JavaScript payload will execute in their browser context.","gemini-3-flash-preview","2026-04-20 13:09:18","2026-04-20 13:10:05",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fembed-calendly-scheduling\u002Ftags\u002F4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fembed-calendly-scheduling.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fembed-calendly-scheduling\u002Ftags\u002F4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fembed-calendly-scheduling.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fembed-calendly-scheduling\u002Ftags"]