Back

CVE-2026-0868: Stored XSS Vulnerability in EMC Calendly Plugin for WordPress

Severity: Medium (Score: 59.0)

Sources: infinitsec.net, nitter.net, vulnerability.circl.lu, Feedly, db.gcve.eu

Summary

The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 4.4. This vulnerability arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's calendly shortcode. Authenticated attackers with contributor-level access can inject arbitrary web scripts into pages, which will execute when users access those pages. The CVE-2026-0868 has been assigned a CVSS score of 6.4, indicating a medium severity level. There is currently no evidence of public proof-of-concept exploits or active exploitation. Users are advised to update the plugin to a version newer than 4.4 and review contributor-level accounts for unauthorized changes. Monitoring for suspicious use of the calendly shortcode is also recommended. The vulnerability was first reported on April 19, 2026. Key Points: • CVE-2026-0868 affects all versions of the EMC Calendly plugin up to 4.4. • Authenticated attackers can exploit the vulnerability to execute arbitrary scripts. • No active exploitation or proof-of-concept has been reported yet.

Key Entities

  • Cross-site Scripting (attack_type)
  • XSS (vulnerability)
  • CVE-2026-0868 (cve)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • WordPress (platform)
  • Stored Cross-Site Scripting (mitre_attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed