CVE-2026-2396: List View Google Calendar Plugin XSS Flaw

CVE-2026-2396 Overview

CVE-2026-2396 is a Stored Cross-Site Scripting (XSS) vulnerability in the List View Google Calendar plugin for WordPress. The flaw affects all plugin versions up to and including 7.4.3. It stems from insufficient input sanitization and output escaping in the event description field. Authenticated attackers with administrator-level access can inject arbitrary web scripts that execute when users access affected pages. The vulnerability is classified under [CWE-79]. It only impacts multi-site installations and installations where unfiltered_html has been disabled.

Critical Impact

Authenticated administrators on multi-site WordPress deployments can inject persistent JavaScript that runs in the browser context of any visitor, enabling session theft, defacement, and lateral privilege actions.

Affected Products

• List View Google Calendar plugin for WordPress — all versions through 7.4.3
• WordPress multi-site installations running the plugin
• WordPress installations with unfiltered_html capability disabled

Discovery Timeline

• 2026-04-15 - CVE-2026-2396 published to NVD
• 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-2396

Vulnerability Analysis

The List View Google Calendar plugin renders Google Calendar event data inside WordPress pages and posts. The event description field accepts user-supplied input that is later rendered to the page without adequate sanitization or output escaping. As a result, script payloads stored in the description persist in the database and execute in the browser of every visitor who loads the rendering page.

The vulnerability requires administrator-level privileges to exploit, which constrains the attack surface. However, in WordPress multi-site environments, site administrators are not always fully trusted by the network owner. The same applies to single-site installations where unfiltered_html has been removed to restrict HTML usage. In both contexts, this sanitization gap allows administrators to bypass the intended HTML filtering policy.

Root Cause

The root cause is missing input sanitization on storage and missing output escaping on render within the plugin's tag rendering logic in library/tags/li.php. WordPress provides functions such as wp_kses_post() for filtering allowed HTML and esc_html() or esc_attr() for context-aware output escaping. The plugin fails to apply these to the event description value before echoing it into the page DOM.

Attack Vector

An authenticated attacker with administrator access supplies a malicious payload through the event description field consumed by the plugin. When a page containing the rendered calendar list is viewed, the browser parses and executes the injected script. The payload can perform actions in the context of the victim's session, including cookie theft, CSRF token harvesting, account takeover via password reset flows, and arbitrary DOM manipulation. See the WordPress Plugin Code Review and the Wordfence Vulnerability Report for technical specifics.

No public proof-of-concept exploit code has been released. The vulnerability mechanism involves stored payloads in event description fields that bypass plugin-side filtering and reach the rendered page unescaped.

Detection Methods for CVE-2026-2396

Indicators of Compromise

• Calendar event descriptions containing <script> tags, javascript: URIs, or HTML event handler attributes such as onerror, onload, or onclick.
• Unexpected outbound browser requests from pages rendering the List View Google Calendar shortcode or block.
• New or modified administrator accounts following access to plugin-rendered pages.
• WordPress database rows in wp_posts or plugin-specific tables containing encoded or obfuscated JavaScript within calendar event content.

Detection Strategies

• Audit the WordPress database for stored event descriptions containing HTML tags or script-like patterns.
• Monitor administrator activity logs for plugin configuration changes and event creation by accounts that do not typically manage calendars.
• Use a Content Security Policy (CSP) reporting endpoint to capture inline script violations on pages embedding the calendar list.

Monitoring Recommendations

• Enable WordPress activity logging plugins to record administrator-level edits to calendar events and plugin settings.
• Forward web server access logs to a centralized log platform and alert on anomalous response patterns from pages embedding the calendar.
• Track plugin version inventory across multi-site networks to confirm patched versions are deployed.

How to Mitigate CVE-2026-2396

Immediate Actions Required

• Update the List View Google Calendar plugin to a version newer than 7.4.3 once a fixed release is available from the vendor.
• Review all existing calendar event descriptions for embedded HTML or script content and remove malicious entries.
• Restrict administrator account provisioning on multi-site networks and audit which sub-site administrators hold elevated privileges.

Patch Information

No fixed version is referenced in the current advisory data. Monitor the Wordfence Vulnerability Report and the plugin's WordPress.org page for an official patched release. Until a patched version is published, treat the plugin as vulnerable on multi-site and unfiltered_html-restricted installations.

Workarounds

• Deactivate the List View Google Calendar plugin on affected WordPress multi-site networks until a patched version is released.
• Restore the unfiltered_html capability only for fully trusted super-administrators where operationally acceptable, recognizing this expands trust scope rather than fixing the flaw.
• Deploy a Web Application Firewall (WAF) rule to block requests containing script tags or event-handler attributes in calendar event payloads.
• Implement a strict Content Security Policy disallowing inline scripts on pages rendering calendar content.