CVE-2025-66103

2025-12-30 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in revmakx WPCal.io wpcal allows DOM-Based XSS.This issue affects WPCal.io: from n/a through <= 0.9.5.9.

Analysis

DOM-based cross-site scripting (XSS) in WPCal.io WordPress plugin versions 0.9.5.9 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected websites. No CVSS score is available, but the EPSS score of 0.04% (14th percentile) indicates low practical exploitation likelihood despite the XSS vector being a common attack class.

Technical Context

WPCal.io is a WordPress plugin (CWE-79: Cross-site Scripting) that fails to properly sanitize or validate user-supplied input before rendering it in the Document Object Model (DOM). DOM-based XSS vulnerabilities occur when client-side JavaScript processes untrusted data and renders it into the page without encoding, allowing attacker-controlled input to be interpreted as executable code. This differs from reflected or stored XSS because the attack payload is processed entirely on the client side via JavaScript manipulation of the DOM, often triggered through crafted URLs or form inputs that the plugin's JavaScript functions parse and render unsafely.

Affected Products

WPCal.io WordPress plugin from version n/a through 0.9.5.9. The plugin is hosted on the WordPress plugin repository and distributed to WordPress installations. Vulnerability details and affected version information are documented in the Patchstack vulnerability database for WPCal.io.

Remediation

Update WPCal.io to a version newer than 0.9.5.9 where the input sanitization has been corrected. Site administrators should access the WordPress dashboard, navigate to Plugins, locate WPCal.io, and apply the available update. If no patched version is currently available, disable or deactivate the plugin until a fix is released. For detailed patch availability and version information, consult the official Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wpcal/vulnerability/wordpress-wpcal-io-plugin-0-9-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve or contact the plugin vendor directly.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-66103 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy