CVE-2025-62752

2025-12-31 [email protected]
XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 12:16 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kalender.digital Kalender.digital kalender-digital allows DOM-Based XSS.This issue affects Kalender.digital: from n/a through <= 1.0.13.

AnalysisAI

DOM-based cross-site scripting (XSS) in Kalender.digital WordPress plugin through version 1.0.13 allows unauthenticated attackers to inject malicious scripts via improper input neutralization during web page generation. The vulnerability affects all versions up to and including 1.0.13, with an EPSS score of 0.01% indicating very low exploitation likelihood in practice despite the high-severity CWE-79 classification.

Technical ContextAI

DOM-based XSS (CWE-79) occurs when user-supplied input is reflected in the Document Object Model without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript in a victim's browser context. The Kalender.digital plugin, a WordPress calendar component, fails to neutralize input during web page generation, specifically in DOM manipulation operations. This differs from reflected or stored XSS in that the malicious payload is processed entirely client-side by the browser's DOM engine, making it particularly difficult to detect via server-side logging. WordPress plugins are frequent XSS targets because they often handle user input (event titles, descriptions, dates) without adequate context-aware output encoding.

Affected ProductsAI

Kalender.digital WordPress plugin versions through 1.0.13 are affected. The vulnerability impacts all installations of this calendar plugin from the earliest version through the identified affected version 1.0.13. The plugin is distributed via WordPress.org and other sources; affected installations should be identified via WordPress admin dashboards or plugin version auditing tools. The CPE designation would be specific to the plugin's WordPress plugin repository identifier (kalender-digital).

RemediationAI

Update the Kalender.digital plugin to a version newer than 1.0.13 if available from the WordPress plugin repository or vendor. Administrators should navigate to Plugins in the WordPress admin dashboard, locate Kalender.digital, and apply any available updates immediately. If no patched version is available, implement input validation and output encoding policies within WordPress to sanitize calendar-related user input using WordPress's built-in escaping functions (wp_kses_post, esc_attr, wp_json_encode, etc.). Restrict calendar input fields to trusted administrators only via WordPress role-based access controls if the functionality does not require end-user submissions. For additional guidance, refer to the PatchStack database entry at https://patchstack.com/database/Wordpress/Plugin/kalender-digital/vulnerability/wordpress-calendar-online-kalender-digital-plugin-1-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve.

Share

CVE-2025-62752 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy