WordPress Plugin Vulnerability Report – Embed Calendly – Authenticated Stored Cross-Site Scripting – CVE-2023-4995

Plugin Name: Embed Calendly

Key Information:

  • Software Type: Plugin
  • Software Slug: embed-calendly-scheduling
  • Software Status: Active
  • Software Author: turn2honey
  • Software Downloads: 165,873
  • Active Installs: 20,000
  • Last Updated: October 13th, 2023
  • Patched Versions: 3.7
  • Affected Versions: <= 3.6

Vulnerability Details:

  • Name: Embed Calendly <= 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2023-4995
  • CVSS Score: 6.4
  • Publicly Published: October 12, 2023
  • Researcher: LanaCodes
  • Description: The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'calendly' shortcode in versions up to, and including, 3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The Embed Calendly plugin for WordPress has a vulnerability in versions up to and including 3.6 that allows authenticated attackers with contributor-level and above permissions to execute arbitrary web scripts via the 'calendly' shortcode. This vulnerability has been patched in version 3.7.

Detailed Overview:

This vulnerability, identified by researcher LanaCodes, is a critical security concern. The flaw is in the handling of user-supplied attributes within the 'calendly' shortcode, which is insufficiently sanitized and lacks proper output escaping. As a result, authenticated attackers with contributor-level and above permissions can inject malicious web scripts into pages. When users access these compromised pages, the injected scripts execute, potentially leading to various security risks, including data theft or manipulation.

Advice for Users:

Immediate Action: It is crucial for all users of the Embed Calendly plugin to update to version 3.7 or later immediately. This update contains the necessary security patches to address the vulnerability.

Check for Signs of Vulnerability: Users should thoroughly review their WordPress websites for any signs of compromise, such as unexpected script execution or unusual behavior. If any suspicious activity is detected, it should be investigated promptly.

Alternate Plugins: While a patch is available for Embed Calendly, users might consider alternative plugins that offer similar functionality as an extra precaution.

Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities. Regularly monitoring for plugin updates and promptly applying them is essential for maintaining a secure WordPress installation.


The swift response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are strongly advised to ensure they are running version 3.7 or later to secure their WordPress installations against potential exploitation of this vulnerability.


Detailed Report:

Keeping Your WordPress Site Secure: A Case Study on the Embed Calendly Vulnerability

Keeping your WordPress website secure should be a top priority as a website owner. Unfortunately, vulnerabilities in plugins and themes occur frequently, leaving sites exposed if updates aren't applied promptly. One such vulnerability was recently disclosed in the popular Embed Calendly plugin, used by over 20,000 WordPress sites. This post covers the details of this vulnerability, how to update your site, and why staying on top of security is so critical.

About the Embed Calendly Plugin

The Embed Calendly plugin, with over 165,000 downloads, allows users to easily embed Calendly appointment scheduling calendars into WordPress pages and posts. This useful plugin was developed by turn2honey and currently has around 20,000 active installs.

Vulnerability Details

Researcher LanaCodes discovered a stored cross-site scripting (XSS) vulnerability affecting Embed Calendly versions 3.6 and below. This vulnerability allows users with contributor access or higher to inject malicious JavaScript code into pages via the Calendly shortcode.

This stored XSS vulnerability can be exploited to compromise user sessions, deface sites, redirect to malicious URLs, or otherwise compromise site security and integrity. The vulnerability received a relatively high severity score of 6.4 on the CVSS scale.

The researcher responsibly disclosed the vulnerability, which has been patched by the developers in version 3.7 of Embed Calendly through improved input validation and output encoding.

Impacts of the Vulnerability

This vulnerability is especially dangerous because any user with author or contributor access could exploit it, not just admins. On vulnerable sites, an attacker could potentially:

  • Steal or hijack user sessions
  • Deface sites by altering content
  • Redirect pages to malicious URLs
  • Install malware or backdoors
  • Access sensitive user or admin data
  • Launch further attacks on the site and server

Upgrading to Patch the Vulnerability

While the developer has patched this vulnerability in Embed Calendly version 3.7, many vulnerable sites likely have not yet updated. We highly recommend updating to the latest fixed release immediately to ensure your site is secure.

If you need any assistance updating plugins and themes, our team of WordPress experts can help ensure your site is locked down tight.

The Importance of Staying on Top of Vulnerabilities

This vulnerability highlights why it's so critical to stay on top of security updates for WordPress and all plugins and themes. Outdated software is one of the biggest threats to WordPress site security today.

Even if you don't use this particular vulnerable plugin, treat this case study as a reminder to check that all your plugins, themes, and WordPress core are running the absolute latest versions. Don't leave the door open for attackers.

As a busy small business owner, staying on top of security can feel daunting. But with the help of managed WordPress hosting providers and experts, you can ensure your site is secure, updated, and safe.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

WordPress Plugin Vulnerability Report – Embed Calendly – Authenticated Stored Cross-Site Scripting – CVE-2023-4995 FAQs

Leave a Comment