The vulnerability CVE-2025-14548 affects the kieranoshea Calendar plugin for WordPress, specifically versions up to and including 1.3.16. It is a stored cross-site scripting (XSS) vulnerability categorized under CWE-79, caused by insufficient sanitization and escaping of the 'event_desc' parameter during web page generation. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into calendar event descriptions. When other users, including administrators, view the affected calendar pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. Exploitation requires that administrators enable lower privilege users to manage calendar events, which is a configurable setting in the plugin. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required but no user interaction needed. No patches or official fixes are currently listed, and no known exploits have been reported in the wild. The vulnerability highlights the risk of improper input validation in web applications, especially in widely used CMS plugins.

This vulnerability can lead to unauthorized script execution in the context of affected websites, compromising the confidentiality and integrity of user sessions and data. Attackers with Contributor-level access can leverage this to execute persistent XSS attacks, potentially stealing administrator credentials, performing actions on behalf of administrators, or spreading malware. The impact is particularly severe in environments where administrators allow lower privilege users to manage calendar events, increasing the attack surface. While availability is not directly affected, the breach of trust and potential data leakage can cause reputational damage and operational disruptions. Organizations relying on the kieranoshea Calendar plugin in WordPress environments are at risk, especially those with multiple contributors or collaborative event management. The medium CVSS score reflects moderate risk but significant potential for privilege escalation and data compromise if exploited.

Organizations should immediately review and restrict permissions related to calendar event management, ensuring only trusted users have Contributor-level or higher access. Administrators should disable the setting that allows lower privilege users to manage calendar events until a patch is available. Input validation and output escaping should be implemented or enhanced in the plugin code to sanitize the 'event_desc' parameter properly. Monitoring web logs and user activity for unusual event descriptions or script injections can help detect exploitation attempts. Employing a Web Application Firewall (WAF) with rules targeting XSS payloads can provide additional protection. Regularly updating WordPress plugins and subscribing to security advisories from the plugin vendor or WordPress security teams is critical. If feasible, temporarily disabling the Calendar plugin or replacing it with a secure alternative until a patch is released is advisable.