PT-2026-57382 · Lustmored · Lockme Calendars Integration

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-3367

CVSS v3.1

4.4

Medium

VectorAV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The register setting() call on line 197 lacks a sanitize callback, allowing unsanitized data to be stored via update option(). When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without esc attr() on line 212. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses the plugin settings page. Multiple fields are affected: App ID (client id), App Secret (client secret), Bookings ID prefix (id prefix), and API domain (api domain). This vulnerability is particularly impactful in WordPress multisite installations where administrators of individual sites should not be able to execute JavaScript affecting other users.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-3367

Affected Products

Lockme Calendars Integration