Skip to main content

CVE-2025-66103

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-30 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in revmakx WPCal.io wpcal allows DOM-Based XSS.This issue affects WPCal.io: from n/a through <= 0.9.5.9.

AnalysisAI

DOM-based cross-site scripting (XSS) in WPCal.io WordPress plugin versions 0.9.5.9 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected websites. No CVSS score is available, but the EPSS score of 0.04% (14th percentile) indicates low practical exploitation likelihood despite the XSS vector being a common attack class.

Technical ContextAI

WPCal.io is a WordPress plugin (CWE-79: Cross-site Scripting) that fails to properly sanitize or validate user-supplied input before rendering it in the Document Object Model (DOM). DOM-based XSS vulnerabilities occur when client-side JavaScript processes untrusted data and renders it into the page without encoding, allowing attacker-controlled input to be interpreted as executable code. This differs from reflected or stored XSS because the attack payload is processed entirely on the client side via JavaScript manipulation of the DOM, often triggered through crafted URLs or form inputs that the plugin's JavaScript functions parse and render unsafely.

Affected ProductsAI

WPCal.io WordPress plugin from version n/a through 0.9.5.9. The plugin is hosted on the WordPress plugin repository and distributed to WordPress installations. Vulnerability details and affected version information are documented in the Patchstack vulnerability database for WPCal.io.

RemediationAI

Update WPCal.io to a version newer than 0.9.5.9 where the input sanitization has been corrected. Site administrators should access the WordPress dashboard, navigate to Plugins, locate WPCal.io, and apply the available update. If no patched version is currently available, disable or deactivate the plugin until a fix is released. For detailed patch availability and version information, consult the official Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wpcal/vulnerability/wordpress-wpcal-io-plugin-0-9-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve or contact the plugin vendor directly.

Share

CVE-2025-66103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy