Skip to main content

Lockme Calendars Integration

1 CVEs product

Monthly

CVE-2026-3367 MEDIUM This Month

Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. Exploitation risk is highest in WordPress multisite environments where per-site administrators, who should not have cross-site authority, could poison settings to harvest session tokens or perform actions in the context of super-administrators. No public exploit code and no CISA KEV listing have been identified at time of analysis; an upstream patch changeset (revision 3495564) has been committed to the WordPress plugin repository.

WordPress XSS Lockme Calendars Integration
NVD
CVSS 3.1
4.4
EPSS
0.3%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. Exploitation risk is highest in WordPress multisite environments where per-site administrators, who should not have cross-site authority, could poison settings to harvest session tokens or perform actions in the context of super-administrators. No public exploit code and no CISA KEV listing have been identified at time of analysis; an upstream patch changeset (revision 3495564) has been committed to the WordPress plugin repository.

WordPress XSS Lockme Calendars Integration
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy