[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwybQ3oT1bchyr7P72eFlZhkLUxnooX2m5ezb9AjUgQ8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"source_links":35},"CVE-2026-2396","list-view-google-calendar-authenticated-administrator-stored-cross-site-scripting-via-event-description","List View Google Calendar \u003C= 7.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Event Description","The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","list-view-google-calendar",null,"\u003C=7.4.3","7.4.4","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-14 11:14:32","2026-04-14 23:26:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc339bf65-c522-4954-8aed-275c51298aea?source=api-prod",1,[22,23],"list-view-google-calendar.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-2396\n\n## 1. Vulnerability Summary\nThe **List View Google Calendar** plugin (\u003C= 7.4.3) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability occurs because the plugin fetches event data from the Google Calendar API and renders the `description` field of events directly onto the page without sufficient sanitization or output escaping. \n\nWhile the data originates from an external source (Google Calendar), an administrator can configure the plugin to fetch from a calendar ID they control. On WordPress Multisite installations or sites where `unfiltered_html` is disabled, a malicious administrator (or an attacker with administrative access) can inject arbitrary JavaScript into the event description in the external calendar source, which will then execute in the context of any user (including Super Admins) viewing the calendar on the WordPress site.\n\n## 2. Attack Vector Analysis\n- **Authentication Level:** Administrator (or higher).\n- **Vulnerable Component:** Shortcode rendering engine (`gc_list_view`).\n- **Vulnerable Parameter:** Google Calendar Event `description`.\n- **Preconditions:** \n    - The site must be a Multisite installation or have `DISALLOW_UNFILTERED_HTML` set to true (otherwise, administrators already have the `unfiltered_html` capability and this is not a security boundary violation).\n    - The plugin must be configured with a valid (or mocked) API key and Calendar ID.\n\n## 3. Code Flow\n1. **Entry Point:** The user visits a page containing the `[gc_list_view]` shortcode.\n2. **Shortcode Execution:** The `shortcodes()` method in `list-view-google-calendar.php` is triggered.\n3. **Data Fetching:**\n    - The plugin retrieves the API key and Calendar ID from settings (`list-view-google-calendar_array`) or shortcode attributes.\n    - It calls a fetching function (likely using `wp_remote_get` as of v7.4.0) to request `https:\u002F\u002Fwww.googleapis.com\u002Fcalendar\u002Fv3\u002Fcalendars\u002F{ID}\u002Fevents`.\n4. **Data Processing:**\n    - The JSON response is decoded.\n    - The plugin iterates through the `items` (events) array.\n    - For each event, it processes the `description` field. The class `gclv_hash_tags` (extended by `gclv`) may perform regex replacements (e.g., for tags like `#display none`), but it fails to sanitize HTML.\n5. **Sink:** The plugin includes a template file (e.g., from `library\u002Ftags\u002Fli.php`) and echoes the `description` directly: `echo $event['description'];`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does not typically require a nonce for the **trigger** phase (view","The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event descriptions in versions up to 7.4.3. This occurs because the plugin fetches event data from the Google Calendar API and renders the description within HTML attributes (like 'title') without proper attribute escaping, allowing authenticated administrators to inject scripts in environments where unfiltered_html is restricted.","\u002F\u002F list-view-google-calendar.php around line 491\n\t\t\t\tif( isset($gc_description) && !empty($gc_description) ): \n\t\t\t\t\t\u002F\u002F &#13;&#10;  is the HTML-encodeing CR+LF (line feed).\n\t\t\t\t\t$gc_description_title = str_replace(array(\"\\r\\n\", \"\\r\", \"\\n\"), \"\u003Cbr \u002F>\", $gc_description);\n\t\t\t\t\t$gc_description_title = str_replace(\n\t\t\t\t\t\tarray(\"\u003Cbr\u002F>\",\"\u003Cbr \u002F>\", \"\u003Cbr>\", \"\u003Cp>\", \"\u003C\u002Fp>\"),\n\t\t\t\t\t\t '&#13;&#10;', $gc_description_title);\n\t\t\t\t\t$gc_description_title = wp_strip_all_tags($gc_description_title);\n\t\t\t\t\t$gc_description_title = str_replace('&#13;&#10;&#13;&#10;&#13;&#10;', '&#13;&#10;', $gc_description_title);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flist-view-google-calendar\u002F7.4.3\u002Flist-view-google-calendar.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flist-view-google-calendar\u002F7.4.4\u002Flist-view-google-calendar.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flist-view-google-calendar\u002F7.4.3\u002Flist-view-google-calendar.php\t2026-02-01 06:10:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flist-view-google-calendar\u002F7.4.4\u002Flist-view-google-calendar.php\t2026-03-01 00:53:18.000000000 +0000\n@@ -488,13 +488,7 @@\n \t\t\t\t\u002F\u002F For title attribution\n \t\t\t\t$gc_description_title = \"\";\n \t\t\t\tif( isset($gc_description) && !empty($gc_description) ): \n-\t\t\t\t\t\u002F\u002F &#13;&#10;  is the HTML-encodeing CR+LF (line feed).\n-\t\t\t\t\t$gc_description_title = str_replace(array(\"\\r\\n\", \"\\r\", \"\\n\"), \"\u003Cbr \u002F>\", $gc_description);\n-\t\t\t\t\t$gc_description_title = str_replace(\n-\t\t\t\t\t\tarray(\"\u003Cbr\u002F>\",\"\u003Cbr \u002F>\", \"\u003Cbr>\", \"\u003Cp>\", \"\u003C\u002Fp>\"),\n-\t\t\t\t\t\t '&#13;&#10;', $gc_description_title);\n-\t\t\t\t\t$gc_description_title = wp_strip_all_tags($gc_description_title);\n-\t\t\t\t\t$gc_description_title = str_replace('&#13;&#10;&#13;&#10;&#13;&#10;', '&#13;&#10;', $gc_description_title);\n+\t\t\t\t\t$gc_description_title = esc_attr(wp_strip_all_tags($gc_description_title));\n \t\t\t\t\t\u002F\u002F Limit the output to the title attribute to 1024 bytes.\n \t\t\t\t\tif( function_exists(\"mb_strcut\") ):\n \t\t\t\t\t\t$gc_description_title = mb_strcut($gc_description_title, 0, 1024);","1. An authenticated administrator (on a multisite installation or where unfiltered_html is disabled) creates or controls a public Google Calendar.\n2. The attacker creates an event in the Google Calendar and sets its description to a payload designed to break out of an HTML attribute, such as: `\" onmouseover=\"alert(document.domain)\"`.\n3. The attacker configures the plugin to display events from this Google Calendar by setting the Calendar ID and a valid API key in the plugin's settings or via shortcode attributes.\n4. When any user (including Super Admins) visits a page where the `[gc_list_view]` shortcode is rendered, the plugin fetches the event data from the Google Calendar API.\n5. The plugin processes the event description and renders it into the 'title' attribute of an HTML element without using `esc_attr()` for escaping.\n6. The arbitrary JavaScript executes when the user triggers the browser event (e.g., by hovering over the calendar entry).","gemini-3-flash-preview","2026-04-16 15:48:47","2026-04-16 15:49:47",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","7.4.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flist-view-google-calendar\u002Ftags\u002F7.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flist-view-google-calendar.7.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flist-view-google-calendar\u002Ftags\u002F7.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flist-view-google-calendar.7.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flist-view-google-calendar\u002Ftags"]