{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2396", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T12:56:59.489Z", "datePublished": "2026-04-14T23:26:07.293Z", "dateUpdated": "2026-04-14T23:26:07.293Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T23:26:07.293Z"}, "affected": [{"vendor": "kimipooh", "product": "List View Google Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "List View Google Calendar <= 7.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Event Description", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c339bf65-c522-4954-8aed-275c51298aea?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/list-view-google-calendar/tags/7.4.3/library/tags/li.php#L6"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Pattama Tangpoonponwiwat"}], "timeline": [{"time": "2026-02-01T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-04-14T11:14:32.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2026-2396", "lastModified": "2026-04-15T04:17:33.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T04:17:33.783", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/list-view-google-calendar/tags/7.4.3/library/tags/li.php#L6"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c339bf65-c522-4954-8aed-275c51298aea?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "List View Google Calendar", "source": "cna", "vendor": "kimipooh"}, "product": "list_view_google_calendar", "vendor": "kimipooh"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T00:20:31.951574+00:00", "value": {"mitigation_remediation": ["Upgrade List View Google Calendar plugin to version\u202f7.4.4 or later", "If upgrading is not immediately possible, deactivate the plugin to prevent injected scripts from executing", "Review administrator roles to ensure they do not have the unfiltered_html capability and consider enforcing stricter input sanitization for event descriptions"], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via event descriptions"}, "threat_synthesis": {"affected_systems": "Vendors: kimipooh. Product: List View Google Calendar, all releases up to and including version\u202f7.4.3. The flaw affects only multi\u2011site WordPress installations where the unfiltered_html capability is disabled, and it requires the attacker to have administrator\u2011level access.", "description_and_impact": "The List View Google Calendar plugin for WordPress contains a stored cross\u2011site scripting flaw that allows an authenticated user with administrator privileges to inject arbitrary scripts into event descriptions. When an event page is viewed, the unsanitized script is executed in the visitor\u2019s browser, enabling the attacker to hijack sessions, steal credentials, or deface the site. This vulnerability stems from inadequate input filtering and output escaping.", "risk_and_exploitability": "CVSS score is 4.4, indicating a moderate severity level. The exploitability metric is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local, as the attacker must be authenticated and possess administrative rights. Because the impact is limited to injected pages and limited to administrators, the overall risk is moderate; however, the plugin upgrade should be applied promptly to eliminate the possibility of script injection attacks."}}}}, "created": "2026-04-15T14:28:41.084312+00:00", "updated": "2026-04-15T14:53:37.892524+00:00", "vendors": ["kimipooh", "kimipooh$PRODUCT$list_view_google_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}