Platform
wordpress
Component
embed-calendly-scheduling
Fixed in
4.4.1
CVE-2026-0868 describes a Stored Cross-Site Scripting (XSS) vulnerability found in the EMC – Easily Embed Calendly Scheduling Features plugin for WordPress. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts. The vulnerability affects versions up to and including 4.4, and a fix is available in version 4.5.
An attacker exploiting this XSS vulnerability can inject malicious JavaScript code into WordPress pages through the Calendly shortcode. When a user visits a page containing the injected script, the attacker's code will execute in the user's browser, potentially stealing cookies, redirecting the user to a malicious website, or defacing the website. The impact is amplified if the attacker can target users with administrative privileges, enabling them to gain full control of the WordPress site. This vulnerability shares similarities with other XSS exploits where user input is not properly sanitized before being displayed, leading to code execution within the context of the vulnerable website.
CVE-2026-0868 was published on 2026-04-19. The vulnerability's severity is currently assessed as Medium (CVSS 6.4). There are no known public exploits or active campaigns targeting this specific vulnerability at the time of writing. It is not currently listed on KEV or EPSS, indicating a low probability of immediate exploitation, but diligent patching is still recommended.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0868 is to upgrade the EMC – Easily Embed Calendly Scheduling Features plugin to version 4.5 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input within the Calendly shortcode. Specifically, look for unusual characters or patterns commonly associated with XSS payloads. Additionally, review and sanitize any user-supplied attributes used within the shortcode to prevent further exploitation. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the Calendly shortcode and verifying that it does not execute.
Update to version 4.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0868 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the EMC – Easily Embed Calendly Scheduling Features WordPress plugin. It allows authenticated users with contributor access to inject malicious scripts via the Calendly shortcode.
You are affected if your WordPress site uses the EMC – Easily Embed Calendly Scheduling Features plugin and is running a version prior to 4.5. Check your plugin version immediately.
Upgrade the EMC – Easily Embed Calendly Scheduling Features plugin to version 4.5 or later. If immediate upgrade is not possible, implement a WAF rule to filter malicious input.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-0868, but proactive patching is still recommended to mitigate potential future risks.
Refer to the WordPress plugin repository for updates and announcements related to this vulnerability: [https://wordpress.org/plugins/emc-easily-embed-calendly-scheduling-features/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.