List View Google Calendar <= 7.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Event Description
Description
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=7.4.3What Changed in the Fix
Changes introduced in v7.4.4
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-2396 ## 1. Vulnerability Summary The **List View Google Calendar** plugin (<= 7.4.3) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability occurs because the plugin fetches event data from the Google Calendar API and renders the `descriptio…
Show full research plan
Exploitation Research Plan: CVE-2026-2396
1. Vulnerability Summary
The List View Google Calendar plugin (<= 7.4.3) is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability occurs because the plugin fetches event data from the Google Calendar API and renders the description field of events directly onto the page without sufficient sanitization or output escaping.
While the data originates from an external source (Google Calendar), an administrator can configure the plugin to fetch from a calendar ID they control. On WordPress Multisite installations or sites where unfiltered_html is disabled, a malicious administrator (or an attacker with administrative access) can inject arbitrary JavaScript into the event description in the external calendar source, which will then execute in the context of any user (including Super Admins) viewing the calendar on the WordPress site.
2. Attack Vector Analysis
- Authentication Level: Administrator (or higher).
- Vulnerable Component: Shortcode rendering engine (
gc_list_view). - Vulnerable Parameter: Google Calendar Event
description. - Preconditions:
- The site must be a Multisite installation or have
DISALLOW_UNFILTERED_HTMLset to true (otherwise, administrators already have theunfiltered_htmlcapability and this is not a security boundary violation). - The plugin must be configured with a valid (or mocked) API key and Calendar ID.
- The site must be a Multisite installation or have
3. Code Flow
- Entry Point: The user visits a page containing the
[gc_list_view]shortcode. - Shortcode Execution: The
shortcodes()method inlist-view-google-calendar.phpis triggered. - Data Fetching:
- The plugin retrieves the API key and Calendar ID from settings (
list-view-google-calendar_array) or shortcode attributes. - It calls a fetching function (likely using
wp_remote_getas of v7.4.0) to requesthttps://www.googleapis.com/calendar/v3/calendars/{ID}/events.
- The plugin retrieves the API key and Calendar ID from settings (
- Data Processing:
- The JSON response is decoded.
- The plugin iterates through the
items(events) array. - For each event, it processes the
descriptionfield. The classgclv_hash_tags(extended bygclv) may perform regex replacements (e.g., for tags like#display none), but it fails to sanitize HTML.
- Sink: The plugin includes a template file (e.g., from
library/tags/li.php) and echoes thedescriptiondirectly:echo $event['description'];.
4. Nonce Acquisition Strategy
This vulnerability does not typically require a nonce for the trigger phase (view
Summary
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event descriptions in versions up to 7.4.3. This occurs because the plugin fetches event data from the Google Calendar API and renders the description within HTML attributes (like 'title') without proper attribute escaping, allowing authenticated administrators to inject scripts in environments where unfiltered_html is restricted.
Vulnerable Code
// list-view-google-calendar.php around line 491 if( isset($gc_description) && !empty($gc_description) ): // is the HTML-encodeing CR+LF (line feed). $gc_description_title = str_replace(array("\r\n", "\r", "\n"), "<br />", $gc_description); $gc_description_title = str_replace( array("<br/>","<br />", "<br>", "<p>", "</p>"), ' ', $gc_description_title); $gc_description_title = wp_strip_all_tags($gc_description_title); $gc_description_title = str_replace(' ', ' ', $gc_description_title);
Security Fix
@@ -488,13 +488,7 @@ // For title attribution $gc_description_title = ""; if( isset($gc_description) && !empty($gc_description) ): - // is the HTML-encodeing CR+LF (line feed). - $gc_description_title = str_replace(array("\r\n", "\r", "\n"), "<br />", $gc_description); - $gc_description_title = str_replace( - array("<br/>","<br />", "<br>", "<p>", "</p>"), - ' ', $gc_description_title); - $gc_description_title = wp_strip_all_tags($gc_description_title); - $gc_description_title = str_replace(' ', ' ', $gc_description_title); + $gc_description_title = esc_attr(wp_strip_all_tags($gc_description_title)); // Limit the output to the title attribute to 1024 bytes. if( function_exists("mb_strcut") ): $gc_description_title = mb_strcut($gc_description_title, 0, 1024);
Exploit Outline
1. An authenticated administrator (on a multisite installation or where unfiltered_html is disabled) creates or controls a public Google Calendar. 2. The attacker creates an event in the Google Calendar and sets its description to a payload designed to break out of an HTML attribute, such as: `" onmouseover="alert(document.domain)"`. 3. The attacker configures the plugin to display events from this Google Calendar by setting the Calendar ID and a valid API key in the plugin's settings or via shortcode attributes. 4. When any user (including Super Admins) visits a page where the `[gc_list_view]` shortcode is rendered, the plugin fetches the event data from the Google Calendar API. 5. The plugin processes the event description and renders it into the 'title' attribute of an HTML element without using `esc_attr()` for escaping. 6. The arbitrary JavaScript executes when the user triggers the browser event (e.g., by hovering over the calendar entry).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.