CVE-2025-67555 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: How do I fix CVE-2025-67555?

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'UseStrict's Calendly Embedder'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin is updated to version after 1.1.7.2.

Q: What is the severity of CVE-2025-67555?

CVE-2025-67555 has a CVSS score of 6.5 (MEDIUM). This stored cross-site scripting (XSS) vulnerability in UseStrict's Calendly Embedder WordPress plugin allows attackers to inject malicious scripts that execute when other users view affected pages. WordPress site administrators and users who view pages containing the malicious embed are affected. The vulnerability exists in versions up to and including 1.1.7.2.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in UseStrict's Calendly Embedder WordPress plugin allows attackers to inject malicious scripts that execute when other users view affected pages. WordPress site administrators and users who view pages containing the malicious embed are affected. The vulnerability exists in versions up to and including 1.1.7.2.

💻 Affected Systems

Products:

UseStrict's Calendly Embedder (cal-embedder-lite)

Versions: n/a through <= 1.1.7.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: This is a WordPress plugin vulnerability affecting all WordPress installations using vulnerable versions of the plugin.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress sites, redirect users to malicious sites, or deploy malware to visitors' browsers.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies, potentially compromising WordPress admin accounts and defacing websites.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing any impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Stored XSS vulnerabilities in WordPress plugins are commonly exploited. While no public PoC is confirmed, similar vulnerabilities are frequently weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.1.7.2

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/cal-embedder-lite/vulnerability/wordpress-usestrict-s-calendly-embedder-plugin-1-1-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'UseStrict's Calendly Embedder'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin is updated to version after 1.1.7.2.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Calendly Embedder plugin until patched

wp plugin deactivate cal-embedder-lite

Implement WAF rules

all

Configure web application firewall to block XSS payloads targeting Calendly embed parameters

🧯 If You Can't Patch

Remove or disable the Calendly Embedder plugin entirely
Implement strict Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'UseStrict's Calendly Embedder' version

Check Version:

wp plugin get cal-embedder-lite --field=version

Verify Fix Applied:

Verify plugin version is greater than 1.1.7.2 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Calendly embed endpoints
JavaScript payloads in plugin-related parameters

Network Indicators:

Malicious script injections in Calendly embed parameters
Unexpected external script loads from calendly embed pages

SIEM Query:

source="wordpress" AND (plugin="cal-embedder-lite" OR uri="*calendly*") AND (payload="<script>" OR payload="javascript:")

📊 Metadata

CVE ID: CVE-2025-67555

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: December 9, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/cal-embedder-lite/vulnerability/wordpress-usestrict-s-calendly-embedder-plugin-1-1-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67555, you might also want to check these: