CVE-2025-67555 is a stored Cross-site Scripting (XSS) vulnerability identified in useStrict's Calendly Embedder (cal-embedder-lite) up to version 1.1.7.2. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored and later executed in the context of users visiting the affected web pages. This stored XSS can be exploited by an attacker with limited privileges (PR:L) and requires user interaction (UI:R), such as clicking a link or visiting a compromised page, to trigger the payload. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L) and has a scope change (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. The CVSS vector indicates network attack vector (AV:N) and low attack complexity (AC:L), making exploitation feasible in many environments. While no known exploits have been reported in the wild, the presence of stored XSS in a widely used embedder for Calendly scheduling widgets poses a risk for session hijacking, credential theft, or defacement attacks. The vulnerability affects web applications embedding Calendly via useStrict's plugin, potentially impacting both public-facing and internal organizational portals. The lack of available patches or updates at the time of publication necessitates immediate mitigation efforts by administrators.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on useStrict's Calendly Embedder to integrate scheduling functionalities into their websites or internal portals. Exploitation could allow attackers to execute arbitrary JavaScript in the context of users, leading to session hijacking, theft of sensitive information, or manipulation of web content. This could result in reputational damage, data breaches, and disruption of business operations. Organizations in sectors with high regulatory scrutiny, such as finance, healthcare, and government, may face compliance violations if user data confidentiality or integrity is compromised. Additionally, the scope change in the vulnerability suggests that the attack could affect other components or services linked to the embedder, potentially amplifying the damage. Given the medium severity and ease of exploitation, attackers could leverage this vulnerability as part of broader attack campaigns targeting European enterprises with web-facing services.

1. Immediate mitigation should include disabling or removing the useStrict Calendly Embedder from all web properties until a patch or update is available. 2. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3. Conduct thorough input validation and output encoding on all user-supplied data within the application, especially where the embedder processes inputs. 4. Monitor web application logs and user activity for unusual behavior that may indicate exploitation attempts. 5. Educate web developers and administrators about secure coding practices related to XSS and the importance of sanitizing inputs in third-party components. 6. Once a patch or updated version is released by useStrict, prioritize timely deployment across all affected systems. 7. Consider implementing Web Application Firewalls (WAFs) with rules targeting known XSS attack patterns to provide an additional layer of defense. 8. Review and limit user privileges to reduce the risk of attackers injecting malicious content.