Stored Cross-Site Scripting Vulnerability in Lockme OAuth2 Calendars Integration Plugin for WordPress
CVE-2026-3367
4.4MEDIUM
What is CVE-2026-3367?
The Lockme OAuth2 calendars integration plugin for WordPress has a vulnerability that allows authenticated users with administrative privileges to inject malicious scripts via the 'App ID' setting. This flaw arises from a lack of proper input sanitization and output encoding, as the register_setting() function does not perform adequate checks. Unsanitized data can be stored and later displayed directly in the settings page, leading to the execution of arbitrary scripts when the settings are accessed. The vulnerability poses significant risks, especially in a WordPress multisite environment, where isolated control can lead to cross-site scripting attacks that affect multiple users.
Affected Version(s)
Lockme calendars integration 0 <= 2.11.0