CVE-2026-2355 is a stored cross-site scripting vulnerability in the My Calendar – Accessible Event Manager WordPress plugin (up to version 3.7.3). The issue arises from the use of `stripcslashes()` in the `mc_draw_template()` function, which decodes C-style hex escape sequences in the `template` shortcode attribute at render time. This decoding bypasses the `wp_kses_post()` sanitization that occurs at save time, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript into pages. When these pages are viewed, the injected scripts execute in the context of the site, potentially compromising user sessions or data. The vulnerability has a CVSS 3.1 base score of 6.4 (medium severity), with network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality and integrity but not availability. No known exploits in the wild or vendor patches are currently documented.

An attacker with Contributor-level or higher access can inject persistent malicious scripts into pages via the vulnerable shortcode attribute. These scripts execute in the browsers of users who visit the infected pages, potentially leading to session hijacking, data theft, or other unauthorized actions within the context of the affected WordPress site. The vulnerability impacts confidentiality and integrity but does not affect availability. There are no known active exploits reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only and consider disabling or removing the My Calendar – Accessible Event Manager plugin if possible. Monitor for updates from the vendor or WordPress plugin repository regarding patches or mitigations.