CVE-2026-2355: My Calendar WordPress Plugin XSS Vulnerability

CVE-2026-2355 Overview

The My Calendar – Accessible Event Manager plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 3.7.3. The vulnerability exists in the template attribute of the [my_calendar_upcoming] shortcode, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages that execute whenever users access the compromised content.

Critical Impact

Authenticated attackers can inject persistent malicious scripts that execute in victims' browsers, potentially leading to session hijacking, credential theft, website defacement, or redirection to malicious sites.

Affected Products

• My Calendar – Accessible Event Manager plugin for WordPress versions up to and including 3.7.3
• WordPress installations using vulnerable My Calendar plugin versions
• Sites with Contributor-level or higher user accounts

Discovery Timeline

• 2026-03-04 - CVE CVE-2026-2355 published to NVD
• 2026-03-04 - Last updated in NVD database

Technical Details for CVE-2026-2355

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability occurs due to improper handling of shortcode attribute values within the My Calendar plugin. The core issue stems from the use of stripcslashes() on user-supplied shortcode attribute values in the mc_draw_template() function. This function decodes C-style hex escape sequences (such as \\x3c to <) at render time, effectively bypassing WordPress's built-in wp_kses_post() content sanitization that only runs at save time.

The temporal gap between sanitization (save time) and rendering (with stripcslashes() decoding) creates a sanitization bypass that allows attackers to smuggle malicious HTML/JavaScript through encoded escape sequences that appear benign during initial validation.

Root Cause

The root cause is a sanitization timing mismatch. WordPress's wp_kses_post() function sanitizes content when it is saved to the database, removing dangerous HTML tags and attributes. However, the mc_draw_template() function subsequently processes the already-sanitized content with stripcslashes(), which decodes C-style escape sequences. Attackers can encode malicious payloads using hex escape sequences (e.g., \\x3c for < and \\x3e for >) that pass through wp_kses_post() undetected but are decoded into executable HTML/JavaScript at render time.

Attack Vector

The attack requires authenticated access with at least Contributor-level privileges on the WordPress site. An attacker creates or edits content containing the [my_calendar_upcoming] shortcode with a malicious template attribute value. The payload uses C-style hex escape sequences to encode script tags and JavaScript code. When the shortcode is processed, the encoded payload bypasses sanitization at save time but is decoded and rendered as executable script when victims view the page.

The vulnerability is accessible over the network and requires no user interaction beyond simply viewing the affected page. The attack allows scripts to execute in the context of the victim's session, potentially compromising users with higher privileges than the attacker.

Detection Methods for CVE-2026-2355

Indicators of Compromise

• Presence of unusual hex escape sequences (e.g., \\x3c, \\x3e, \\x22) in post content containing [my_calendar_upcoming] shortcodes
• User reports of unexpected browser behavior or redirects when viewing calendar pages
• Database entries in wp_posts table containing encoded script payloads within shortcode attributes
• JavaScript execution errors in browser consoles related to injected content

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect and block C-style hex escape sequences in shortcode attributes
• Perform regular database audits scanning for encoded script patterns in posts using My Calendar shortcodes
• Enable Content Security Policy (CSP) headers to detect and block inline script execution
• Monitor server access logs for suspicious patterns of content creation by Contributor-level accounts

Monitoring Recommendations

• Configure real-time alerting for content modifications containing My Calendar shortcodes
• Implement integrity monitoring for WordPress post content to detect unauthorized script injections
• Deploy browser-based XSS detection tools that alert on unexpected script execution
• Review WordPress audit logs for unusual shortcode usage patterns by lower-privileged users

How to Mitigate CVE-2026-2355

Immediate Actions Required

• Update the My Calendar plugin to a patched version beyond 3.7.3 immediately
• Audit existing posts and pages for malicious content containing encoded payloads in [my_calendar_upcoming] shortcodes
• Review and restrict Contributor-level account access until the patch is applied
• Implement Content Security Policy headers to limit the impact of any existing XSS payloads

Patch Information

The vulnerability has been addressed in versions after 3.7.3 of the My Calendar plugin. The fix modifies how the mc_draw_template() function handles shortcode attribute values to prevent the decoding of malicious escape sequences. Detailed changeset information is available in the WordPress Changeset Details.

Additional technical details about the vulnerable code paths can be found in the WordPress Plugin Shortcode File and WordPress Plugin Templates File. For complete vulnerability analysis, refer to the Wordfence Vulnerability Report.

Workarounds

• Temporarily disable the My Calendar plugin until a patched version can be applied
• Remove or restrict Contributor-level and above accounts that are not essential to site operations
• Implement strict Content Security Policy headers to block inline script execution
• Deploy a Web Application Firewall with rules to filter hex escape sequences in POST data

# Example Content Security Policy header configuration for Apache
# Add to .htaccess or httpd.conf to help mitigate XSS impact
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none';"