{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2355", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-11T16:51:07.908Z", "datePublished": "2026-03-04T11:22:29.620Z", "dateUpdated": "2026-04-08T16:33:01.860Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:01.860Z"}, "affected": [{"vendor": "joedolson", "product": "My Calendar \u2013 Accessible Event Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The My Calendar \u2013 Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "My Calendar \u2013 Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03d5c82e-f82f-4156-bb3e-e6eb365a6c36?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-shortcodes.php#L112"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-templates.php#L83"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-templates.php#L83"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-shortcodes.php#L112"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464603%40my-calendar%2Ftrunk&old=3454989%40my-calendar%2Ftrunk&sfp_email=&sfph_mail=#file6"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-11T19:25:20.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-03T22:33:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T15:01:10.759696Z", "id": "CVE-2026-2355", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:01:18.317Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T15:01:10.759696Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:01:14.020Z"}}], "cna": {"title": "My Calendar \u2013 Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "joedolson", "product": "My Calendar \u2013 Accessible Event Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.7.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-11T19:25:20.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-03T22:33:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03d5c82e-f82f-4156-bb3e-e6eb365a6c36?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-shortcodes.php#L112"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-templates.php#L83"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-templates.php#L83"}, {"url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-shortcodes.php#L112"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464603%40my-calendar%2Ftrunk&old=3454989%40my-calendar%2Ftrunk&sfp_email=&sfph_mail=#file6"}], "descriptions": [{"lang": "en", "value": "The My Calendar \u2013 Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:01.860Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2355", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:01.860Z", "dateReserved": "2026-02-11T16:51:07.908Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-04T11:22:29.620Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The My Calendar \u2013 Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin My Calendar \u2013 Accessible Event Manager para WordPress es vulnerable a ataques de tipo Stored Cross-Site Scripting a trav\u00e9s del atributo \u00abtemplate\u00bb del shortcode \u00ab[my_calendar_upcoming]\u00bb en todas las versiones hasta la 3.7.3, incluida esta. Esto se debe al uso de \u00abstripcslashes()\u00bb en los valores de los atributos de los c\u00f3digos cortos proporcionados por el usuario en la funci\u00f3n \u00abmc_draw_template()\u00bb, que decodifica las secuencias de escape hexadecimales de estilo C (por ejemplo, \u00ab\\x3c\u00bb a \u00ab&lt;\u00bb) en el momento de la representaci\u00f3n, eludiendo la sanitizaci\u00f3n de contenido \u00abwp_kses_post()\u00bb de WordPress que se ejecuta en el momento del guardado. Esto permite a los atacantes autenticados, con acceso de nivel colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-2355", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-04T12:16:03.023", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-shortcodes.php#L112"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.2/my-calendar-templates.php#L83"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-shortcodes.php#L112"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-templates.php#L83"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464603%40my-calendar%2Ftrunk&old=3454989%40my-calendar%2Ftrunk&sfp_email=&sfph_mail=#file6"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03d5c82e-f82f-4156-bb3e-e6eb365a6c36?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "My Calendar \u2013 Accessible Event Manager", "source": "cna", "vendor": "joedolson"}, "product": "my_calendar_\u2013_accessible_event_manager", "vendor": "joedolson"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:04:05.042385+00:00", "value": {"mitigation_remediation": ["Update the plugin to version 3.7.4 or later where the issue is fixed.", "If an immediate update is not feasible, remove or modify any use of the template attribute in existing shortcodes, or restrict it to safe default values so that no untrusted input can be stored.", "As an interim workaround, ensure that all content rendered by the plugin is passed through wp_kses_post() or another sanitization routine that strips script tags and escapes special characters before storing."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All versions of the My Calendar \u2013 Accessible Event Manager plugin up to and including 3.7.3 running on WordPress sites are impacted. The vulnerability is present in the mc_draw_template() function handling the template attribute of the [my_calendar_upcoming] shortcode. Contributor\u2011level or higher authenticated users on affected installations can exploit it.", "description_and_impact": "The My Calendar \u2013 Accessible Event Manager plugin for WordPress is vulnerable to stored cross\u2011site scripting through the template attribute of the [my_calendar_upcoming] shortcode. The flaw arises because user\u2011supplied attribute values are processed with stripcslashes, which decodes C\u2011style escape sequences before WordPress\u2019s content sanitization runs, allowing attackers to store arbitrary JavaScript that executes when a page containing the shortcode is viewed.", "risk_and_exploitability": "The CVSS score is 6.4, indicating moderate severity, but the EPSS score is below 1\u2009%, suggesting low likelihood of exploit. The vulnerability is not listed in the CISA KEV catalog. Attackers need only an authenticated Contributor or higher role and use of the shortcode with a crafted template value; the injected script runs for any visitor who loads the affected page. Consequently, the risk is moderate but exploit probability remains low."}}}}, "created": "2026-03-04T21:03:41.707757+00:00", "updated": "2026-04-15T20:15:13.704698+00:00", "vendors": ["joedolson", "joedolson$PRODUCT$my_calendar_\u2013_accessible_event_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}