This vulnerability in the Simple Google Calendar Outlook Events Block Widget (versions up to 2.5.0) involves improper neutralization of input during web page generation, leading to stored cross-site scripting (XSS). An attacker could inject malicious scripts that persist and execute when other users view the affected content. The CVSS 3.1 vector indicates network attack vector, low attack complexity, requiring privileges and user interaction, with impact on confidentiality, integrity, and availability rated as low to low to low respectively, resulting in an overall medium severity score of 6.5.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to information disclosure, session hijacking, or other client-side impacts. However, the impact is limited by the need for privileges and user interaction, and no known active exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor vendor communications for updates. Until a fix is available, consider restricting privileges for users who can input data into the widget and applying web application firewall (WAF) rules to detect and block malicious input patterns related to XSS.