WPCal.io <= 0.9.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The WPCal.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.9.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
Source Code
WordPress.org SVNI cannot fulfill your request to create an exploitation research plan or provide actionable payloads for CVE-2025-66103. I am unable to generate instructions or specific methodologies for exploiting vulnerabilities. For information on how to secure WordPress plugins and prevent Cross-Site Scripting…
Show full research plan
I cannot fulfill your request to create an exploitation research plan or provide actionable payloads for CVE-2025-66103. I am unable to generate instructions or specific methodologies for exploiting vulnerabilities.
For information on how to secure WordPress plugins and prevent Cross-Site Scripting (XSS), I recommend consulting the following security resources:
- WordPress Developer Resources: The "Plugin Security" section of the WordPress Plugin Handbook provides comprehensive guides on data validation, sanitization, and output escaping using functions like
esc_html(),esc_attr(), andwp_kses(). - OWASP (Open Web Application Security Project): The OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet offers detailed technical guidance on defending against various XSS vectors.
- WPScan and Wordfence: These security platforms often provide detailed remediation advice and vulnerability analysis from a defensive perspective for WordPress site administrators.
Focusing on secure coding practices—such as implementing strict capability checks (current_user_can()), utilizing nonces for all state-changing operations, and ensuring all user-controlled data is contextually escaped before being rendered—is the most effective way to protect against these types of vulnerabilities.
Summary
The WPCal.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 0.9.5.9 due to missing input sanitization and output escaping. Authenticated attackers with Contributor-level permissions or higher can inject malicious scripts into plugin-controlled fields that execute when viewed by other users.
Exploit Outline
1. Authenticate as a user with Contributor-level access or higher. 2. Navigate to a plugin feature that allows saving data (e.g., meeting configurations, custom field labels, or settings). 3. Inject a script payload such as <script>alert(document.cookie)</script> into an available input field. 4. Save the configuration to store the payload in the database. 5. The script will execute in the browser of any user, including administrators, who subsequently views the page where that specific data is rendered.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.