CVE-2025-67555 identifies a stored Cross-site Scripting (XSS) vulnerability in useStrict's Calendly Embedder plugin, versions up to and including 1.1.7.2. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently within the application. When other users or administrators visit the affected web pages, the malicious script executes in their browsers under the context of the vulnerable site. This can lead to a range of attacks including session hijacking, theft of cookies or credentials, defacement, or distribution of malware. The vulnerability does not require authentication, increasing its risk profile, and does not depend on user interaction beyond visiting the compromised page. Currently, there are no known public exploits or patches available, indicating that the vulnerability has been recently disclosed. The plugin is commonly used to embed Calendly scheduling widgets into websites, which means many organizations integrating scheduling functionality via this plugin could be exposed. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors, which suggests a high severity due to the stored nature of the XSS and the potential for widespread impact on users and administrators alike.

For European organizations, this vulnerability poses a significant risk to website integrity and user trust. Attackers exploiting the stored XSS can hijack user sessions, steal sensitive information, or perform actions on behalf of users, potentially leading to data breaches or unauthorized access. Organizations relying on useStrict's Calendly Embedder to provide scheduling services on their websites may inadvertently expose their customers and employees to malicious scripts. This can damage brand reputation and lead to regulatory scrutiny under GDPR if personal data is compromised. Additionally, the persistent nature of stored XSS means that the malicious payload remains active until the vulnerability is remediated, increasing the window of exposure. The impact is particularly critical for sectors with high web presence and sensitive data handling such as finance, healthcare, and e-commerce. The absence of patches and known exploits suggests that attackers may develop weaponized payloads soon, increasing urgency for mitigation.

1. Immediately audit websites for the presence of useStrict's Calendly Embedder plugin and identify versions at or below 1.1.7.2. 2. Disable or remove the vulnerable plugin until a secure update or patch is released by the vendor. 3. Monitor vendor communications and Patchstack advisories for official patches and apply them promptly. 4. Implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 5. Sanitize and validate all user inputs rigorously on the server side to prevent injection of malicious code. 6. Conduct regular security testing, including automated scanning and manual penetration testing focused on XSS vulnerabilities. 7. Educate web developers and administrators about secure coding practices and the risks of embedded third-party plugins. 8. Review and monitor web server logs and user activity for signs of exploitation or unusual behavior. 9. Consider deploying Web Application Firewalls (WAF) with rules targeting XSS attack patterns to provide an additional layer of defense.