cleantalk
Vulnerabilities and Security Researches

My Calendar, CVE-2026-2355

CVE, Research URL

CVE-2026-2355

Home page URL

Security reports for My Calendar

Application

My Calendar

Published on
Mar 04, 2026
Research Description
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.7.4.
Status
vulnerable
Previous vulnerability researches
Enable Media Replace (CVE-2026-2732) , Apr 14, 2026
Enable Media Replace (CVE-2023-0255) , Jun 06, 2024
Enable Media Replace (CVE-2023-6737) , Jun 06, 2024
Enable Media Replace (998cd782c633045e5da1cdac6b7b7cd2ce8eb0d2) , Jun 06, 2024
Enable Media Replace (CVE-2022-2554) , Jun 06, 2024
New vulnerability
PixelYourSite &#8211; Your smart PIXEL (TAG) Manager (CVE-2026-1841) , Apr 15, 2026
Consensus Embed (CVE-2026-1823) , Apr 15, 2026
Media Library Folders (CVE-2026-2312) , Apr 15, 2026
Nexter Extension (CVE-2026-0726) , Apr 15, 2026
CallbackKiller service widget (CVE-2026-1944) , Apr 15, 2026