Skip to main content

Embed Calendly CVE-2026-32411

| EUVDEUVD-2026-11928 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11928
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simpma Embed Calendly embed-calendly-scheduling allows Stored XSS.This issue affects Embed Calendly: from n/a through <= 4.4.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Simpma Embed Calendly plugin (versions up to and including 4.4) that allows authenticated attackers to inject malicious scripts into web pages. An attacker with login privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected content, potentially compromising session tokens, credentials, or sensitive data. While this vulnerability requires prior authentication (lowering immediate exposure), the stored nature means the payload affects multiple victims and persists across sessions.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a failure to properly sanitize or encode user-supplied data before rendering it in HTML context. The Simpma Embed Calendly plugin (CPE: cpe:2.3:a:simpma:embed-calendly-scheduling) processes calendar embedding data without adequate input validation or output encoding. The plugin likely accepts user input for calendar customization, event descriptions, or other metadata that is then reflected back to users without escaping special characters. This allows an attacker to break out of the intended data context and inject arbitrary JavaScript code that executes with the privileges of the compromised user's session within the web application.

RemediationAI

Immediately upgrade the Simpma Embed Calendly plugin to version 4.5 or later if available from the vendor. Ensure all installations are updated across development, staging, and production environments. Until patching is complete, implement these compensating controls: restrict plugin access to authenticated users only via role-based access control, audit and sanitize any existing stored calendar data for signs of injection payloads, enable Web Application Firewall (WAF) rules to detect and block script injection patterns in POST/PUT requests, and enforce Content Security Policy (CSP) headers with strict script-src directives to prevent execution of injected code. Monitor user account logs for suspicious activity from accounts with plugin modification permissions, and consider temporarily disabling the plugin if updates are unavailable or delayed. Review the official Simpma security advisory or the WordPress plugin repository for the authoritative patch release notes and migration guidance.

Share

CVE-2026-32411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy