CVE-2026-2396: XSS in List View Google Calendar
Platform
wordpress
Component
list-view-google-calendar
Fixed in
7.4.4
CVE-2026-2396 is a stored Cross-Site Scripting (XSS) vulnerability affecting the List View Google Calendar plugin for WordPress. This vulnerability allows authenticated attackers, specifically those with administrator-level access, to inject arbitrary web scripts. The issue stems from insufficient input sanitization and output escaping within the event description field, impacting versions up to 7.4.3. A patch is available in version 7.4.4.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-2396 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser when they access a page containing the injected script. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data. The vulnerability is particularly concerning because it requires only administrator-level access, a privilege often held by multiple users within an organization. The impact is amplified in multi-site WordPress installations where a single compromised administrator could potentially affect multiple sites.
Exploitation Context
CVE-2026-2396 was published on April 14, 2026. Severity is currently assessed as Medium (CVSS 4.4). No public Proof-of-Concept (POC) exploits have been identified as of this writing, and there are no indications of active campaigns targeting this vulnerability. The vulnerability is not currently listed on KEV or EPSS, suggesting a low probability of immediate exploitation.
Threat Intelligence
Exploit Status
EPSS
0.03% (10% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-2396 is to upgrade the List View Google Calendar plugin to version 7.4.4 or later. If upgrading is not immediately feasible, consider disabling the plugin entirely to prevent further exploitation. In multi-site installations where unfiltered_html is enabled, ensure that event descriptions are carefully reviewed and sanitized before publication. While a Web Application Firewall (WAF) might offer some protection, it is not a substitute for patching the vulnerable plugin. After upgrading, verify the fix by creating a new event with a malicious script in the description and confirming that the script does not execute when the event page is accessed.
How to fix
Update to version 7.4.4, or a newer patched version
Frequently asked questions
What is CVE-2026-2396 — XSS in List View Google Calendar?
CVE-2026-2396 is a stored Cross-Site Scripting (XSS) vulnerability in the List View Google Calendar WordPress plugin. It allows authenticated administrators to inject malicious scripts via event descriptions, potentially compromising user sessions and website integrity.
Am I affected by CVE-2026-2396 in List View Google Calendar?
You are affected if you are using the List View Google Calendar plugin for WordPress in versions 0.0.0 through 7.4.3, especially if you are running a multi-site installation with unfiltered_html disabled.
How do I fix CVE-2026-2396 in List View Google Calendar?
Upgrade the List View Google Calendar plugin to version 7.4.4 or later to resolve the vulnerability. If immediate upgrade is not possible, disable the plugin.
Is CVE-2026-2396 being actively exploited?
As of now, there are no public Proof-of-Concept exploits or reports of active campaigns targeting CVE-2026-2396, but vigilance is still advised.
Where can I find the official List View Google Calendar advisory for CVE-2026-2396?
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and release notes regarding CVE-2026-2396.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...