The vulnerability identified as CVE-2026-2355 affects the My Calendar – Accessible Event Manager plugin for WordPress, versions up to and including 3.7.3. It is a stored cross-site scripting (XSS) flaw categorized under CWE-79, caused by improper neutralization of user input during web page generation. Specifically, the issue lies in the handling of the `template` attribute within the `[my_calendar_upcoming]` shortcode. The plugin uses the PHP function `stripcslashes()` on user-supplied shortcode attributes in the `mc_draw_template()` function. This function decodes C-style hex escape sequences (e.g., converting `\x3c` to `<`) at render time, effectively bypassing the sanitization performed by WordPress's `wp_kses_post()` function at save time. As a result, malicious scripts can be injected and stored in the database. When a user accesses a page containing the injected shortcode, the malicious script executes in their browser context. The vulnerability requires an attacker to have at least Contributor-level authenticated access to the WordPress site, which is a relatively low privilege level in many configurations. The scope of impact includes confidentiality and integrity, as attackers can steal session cookies, perform actions on behalf of users, or deface content. The vulnerability does not affect availability directly and does not require user interaction beyond visiting the compromised page. No public exploits are currently known, but the medium CVSS score of 6.4 reflects the ease of exploitation and potential impact. The vulnerability is present in all versions up to 3.7.3, and no patch links are provided yet, indicating that mitigation may require manual intervention or plugin updates once available.

The impact of CVE-2026-2355 is significant for organizations running WordPress sites with the My Calendar – Accessible Event Manager plugin installed. An attacker with Contributor-level access can inject persistent malicious scripts that execute in the browsers of any user visiting the affected pages. This can lead to session hijacking, unauthorized actions performed with the victim's privileges, data theft, and website defacement. Since Contributor-level access is often granted to content creators or editors, insider threats or compromised accounts can be leveraged to exploit this vulnerability. The stored nature of the XSS means the malicious payload persists until removed, increasing the window of exposure. Although the vulnerability does not directly impact system availability, the reputational damage and potential data breaches can be severe. Organizations with high traffic or sensitive user data are at greater risk. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly once the vulnerability is public. The vulnerability also undermines trust in the affected websites and can be used as a pivot point for further attacks.

To mitigate CVE-2026-2355, organizations should take the following specific actions: 1) Immediately restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 2) Monitor and audit all shortcode usage, especially the `[my_calendar_upcoming]` shortcode, for suspicious or unexpected `template` attribute values. 3) Implement a Web Application Firewall (WAF) with custom rules to detect and block payloads containing decoded hex sequences or suspicious script tags in shortcode attributes. 4) Temporarily disable or remove the My Calendar plugin if feasible until a patched version is released. 5) Encourage plugin developers or maintainers to release an update that removes the use of `stripcslashes()` on user input or applies sanitization at render time rather than relying solely on save-time sanitization. 6) Educate content creators and site administrators about the risks of XSS and the importance of validating inputs. 7) Regularly scan the website for stored XSS payloads using automated tools or manual code review. 8) Apply the principle of least privilege for all WordPress roles to reduce the attack surface. These targeted steps go beyond generic advice by focusing on the specific mechanism of exploitation and the plugin's behavior.