CVE-2025-23606

CVE-2025-23606 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Calendi WordPress plugin by sebkay. This issue affects Calendi versions from n/a through 1.1.1 inclusive. The vulnerability was published on 2025-01-22 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it necessitates user interaction, such as visiting a maliciously crafted link or page. Upon successful exploitation, adversaries can inject and execute arbitrary scripts in the context of the victim's browser on the affected site, achieving low impacts to confidentiality, integrity, and availability while changing the scope of the impact.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/calendi/vulnerability/wordpress-calendi-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability specifically in Calendi plugin version 1.1.1 for WordPress.