Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simpma Embed Calendly embed-calendly-scheduling allows Stored XSS.This issue affects Embed Calendly: from n/a through <= 4.4.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Simpma Embed Calendly plugin (versions up to and including 4.4) that allows authenticated attackers to inject malicious scripts into web pages. An attacker with login privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected content, potentially compromising session tokens, credentials, or sensitive data. While this vulnerability requires prior authentication (lowering immediate exposure), the stored nature means the payload affects multiple victims and persists across sessions.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a failure to properly sanitize or encode user-supplied data before rendering it in HTML context. The Simpma Embed Calendly plugin (CPE: cpe:2.3:a:simpma:embed-calendly-scheduling) processes calendar embedding data without adequate input validation or output encoding. The plugin likely accepts user input for calendar customization, event descriptions, or other metadata that is then reflected back to users without escaping special characters. This allows an attacker to break out of the intended data context and inject arbitrary JavaScript code that executes with the privileges of the compromised user's session within the web application.
RemediationAI
Immediately upgrade the Simpma Embed Calendly plugin to version 4.5 or later if available from the vendor. Ensure all installations are updated across development, staging, and production environments. Until patching is complete, implement these compensating controls: restrict plugin access to authenticated users only via role-based access control, audit and sanitize any existing stored calendar data for signs of injection payloads, enable Web Application Firewall (WAF) rules to detect and block script injection patterns in POST/PUT requests, and enforce Content Security Policy (CSP) headers with strict script-src directives to prevent execution of injected code. Monitor user account logs for suspicious activity from accounts with plugin modification permissions, and consider temporarily disabling the plugin if updates are unavailable or delayed. Review the official Simpma security advisory or the WordPress plugin repository for the authoritative patch release notes and migration guidance.
More in Embed Calendly
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11928