Stored Cross-Site Scripting Vulnerability in Lockme OAuth2 Calendars Integration Plugin for WordPress
CVE-2026-3367

4.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-3367?

The Lockme OAuth2 calendars integration plugin for WordPress has a vulnerability that allows authenticated users with administrative privileges to inject malicious scripts via the 'App ID' setting. This flaw arises from a lack of proper input sanitization and output encoding, as the register_setting() function does not perform adequate checks. Unsanitized data can be stored and later displayed directly in the settings page, leading to the execution of arbitrary scripts when the settings are accessed. The vulnerability poses significant risks, especially in a WordPress multisite environment, where isolated control can lead to cross-site scripting attacks that affect multiple users.

Affected Version(s)

Lockme calendars integration 0 <= 2.11.0

References

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Nur Ibnu Hubab
.