Plattform
wordpress
Komponente
embed-calendly-scheduling
Behoben in
4.4.1
CVE-2026-0868 describes a Stored Cross-Site Scripting (XSS) vulnerability found in the EMC – Easily Embed Calendly Scheduling Features plugin for WordPress. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts. The vulnerability affects versions up to and including 4.4, and a fix is available in version 4.5.
An attacker exploiting CVE-2026-0868 can inject malicious JavaScript code into WordPress pages via the plugin's calendly shortcode. When a user accesses a page containing the injected script, the script will execute in their browser, potentially stealing cookies, redirecting them to malicious websites, or defacing the website. The impact is amplified if the attacker can target administrators or users with elevated privileges. This could lead to account compromise and further system access.
CVE-2026-0868 was published on 2026-04-19. The CVSS score is 6.4 (Medium). Public proof-of-concept exploits are not currently known. The vulnerability requires authentication with contributor-level access, which limits the immediate exploitation probability. No information is available regarding active campaigns targeting this vulnerability.
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-0868 is to upgrade the EMC – Easily Embed Calendly Scheduling Features plugin to version 4.5 or later. Before upgrading, back up your WordPress website and database. If upgrading is not immediately feasible, consider restricting access to the plugin's shortcode functionality to trusted users only. Implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting the plugin. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the plugin's shortcode; the payload should not execute.
Aktualisieren Sie auf Version 4.5 oder eine neuere, gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0868 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the EMC – Easily Embed Calendly Scheduling Features WordPress plugin. It allows authenticated users with contributor access to inject malicious scripts via the Calendly shortcode.
You are affected if your WordPress site uses the EMC – Easily Embed Calendly Scheduling Features plugin and is running a version prior to 4.5. Check your plugin version immediately.
Upgrade the EMC – Easily Embed Calendly Scheduling Features plugin to version 4.5 or later. If immediate upgrade is not possible, implement a WAF rule to filter malicious input.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-0868, but proactive patching is still recommended to mitigate potential future risks.
Refer to the WordPress plugin repository for updates and announcements related to this vulnerability: [https://wordpress.org/plugins/emc-easily-embed-calendly-scheduling-features/]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.