CVE-2026-32411
Stored XSS in Embed Calendly Scheduling Component (β€ v
Publication date: 2026-03-13
Last updated on: 2026-03-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simpma | embed_calendly | to 4.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32411 is a Cross Site Scripting (XSS) vulnerability found in the WordPress Embed Calendly Plugin versions 4.4 and earlier.
This vulnerability allows a malicious actor to inject harmful scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto a website, which execute when visitors access the site.
Exploitation requires user interaction, specifically a privileged user (Contributor or Developer role) performing an action like clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability is classified under the OWASP Top 10 category A3: Injection.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to the execution of malicious scripts on your website, which may cause unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.'}, {'type': 'paragraph', 'content': "Such actions can compromise the integrity and trustworthiness of your website, potentially harming your users and your site's reputation."}, {'type': 'paragraph', 'content': 'Since exploitation requires a privileged user to interact with malicious content, the risk is somewhat limited but still significant.'}, {'type': 'paragraph', 'content': 'The vulnerability has a CVSS score of 6.5, indicating moderate severity.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a Stored Cross Site Scripting (XSS) issue in the Embed Calendly WordPress plugin versions 4.4 and earlier. Detection involves identifying if your site is running a vulnerable version of this plugin.
Since the vulnerability requires a privileged user to interact with malicious input, detection can include checking plugin versions and monitoring for suspicious input or script injections in web pages generated by the plugin.
Specific commands to detect the vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to update the Embed Calendly plugin to version 4.5 or later, where the vulnerability has been patched.
Additionally, enabling auto-updates for vulnerable plugins can help ensure ongoing protection.