{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0868", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-12T22:36:55.885Z", "datePublished": "2026-04-19T03:26:14.765Z", "dateUpdated": "2026-04-19T03:26:14.765Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-19T03:26:14.765Z"}, "affected": [{"vendor": "turn2honey", "product": "EMC \u2013 Easily Embed Calendly Scheduling", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EMC \u2013 Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "EMC Scheduling Manager <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via calendly Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5653ebe-7145-4b1c-94f8-ca87ed0dc4f5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3466576/embed-calendly-scheduling"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-04-18T15:07:18.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The EMC \u2013 Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-0868", "lastModified": "2026-04-19T04:16:10.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-19T04:16:10.670", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3466576/embed-calendly-scheduling"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5653ebe-7145-4b1c-94f8-ca87ed0dc4f5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-19T05:20:32.643886+00:00", "value": {"mitigation_remediation": ["Upgrade the EMC \u2013 Easily Embed Calendly Scheduling plugin to the latest available version, which removes the improper sanitization and escaping of the shortcode attributes.", "If an upgrade cannot be performed immediately, disable or remove the shortcode functionality for contributors and restrict the plugin\u2019s use to administrators or trusted users only.", "Implement a Content Security Policy on the site that restricts the execution of inline scripts and reduces the impact of any remaining stored XSS payloads."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the EMC \u2013 Easily Embed Calendly Scheduling plugin in version 4.4 or earlier are affected. The issue exists in all plugin releases up through 4.4, irrespective of the WordPress core version. Users with contributor or higher privileges can exploit the flaw because they can edit the content that contains the shortcode.", "description_and_impact": "The vulnerability lies in the calendly shortcode of the EMC \u2013 Easily Embed Calendly Scheduling plugin for WordPress. Because user supplied attributes are not properly sanitized or escaped, an authenticated contributor\u2011level user can inject arbitrary JavaScript that is stored in the post content. When an affected page is later displayed, the injected script will execute in the context of any visitor, potentially allowing credential theft, defacement, or other malicious actions. This flaw is classified under CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a legitimate WordPress account with at least contributor rights and the ability to edit posts or pages that use the calendly shortcode. Once the payload is stored, any visitor to the affected page will be exposed to the injected script, making the attack highly effective against users who view the malicious content."}}}}, "created": "2026-04-19T05:30:15.554075+00:00", "updated": "2026-04-19T05:30:15.554110+00:00", "vendors": []}