Cross-Site Scripting (XSS) Exploit Vulnerability + 0 updates / responses to WP Plug issues

[jontprice]

Just posting here in case someone at cal.com cares - not that updates to this are a thing, but yea:

Security vulnerability in Cal.com plugin (CVE-2025-31604)
Plugin: Cal.com (<= 1.0.0)
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
CVE: CVE-2025-31604
Severity: Medium (CVSS 6.5)
Details: Improper neutralization of script-related HTML tags (e.g. <, "), potentially exploitable by users with Contributor role or higher.
As far as we can tell, the issue is still unfixed. Could you confirm whether a patch is in development or planned?

• that's a pickup from the support ticket in WP plugin repo.

[jontprice]

Temporary Fix for CVE-2025-31604 XSS Vulnerability

Until this plugin is updated, here's a workaround that can be added to your functions.php to patch this thing for now :

<?php
// Add this to your theme's functions.php or create a custom plugin

// Fix for Cal.com plugin XSS vulnerability (CVE-2025-31604)
add_action('init', 'fix_calcom_xss_vulnerability', 20);

function fix_calcom_xss_vulnerability() {
    if (class_exists('CalCom\Embed')) {
        // Remove the original shortcode
        remove_shortcode('cal');
        
        // Add our secure version
        add_shortcode('cal', 'secure_calcom_shortcode');
    }
}

function secure_calcom_shortcode($atts) {
    $atts = secure_calcom_prepare_atts($atts);
    return secure_calcom_embed($atts);
}

function secure_calcom_prepare_atts($atts) {
    if (!$atts) {
        return [];
    }

    $embed_url = '';
    $embed_type = '1';
    $embed_text = 'Book me';
    $embed_custom_cal_url = '';

    if (isset($atts['url']) && $atts['url']) {
        $url = sanitize_text_field($atts['url']);
        
        // Validate URL format
        if (str_contains($atts['url'], 'https://cal.com/')) {
            $url = str_replace('https://cal.com/', '/', $url);
        } elseif (str_contains($atts['url'], 'https://') || str_contains($atts['url'], 'http://')) {
            $parsed_url = parse_url($url);
            if ($parsed_url && isset($parsed_url['host'])) {
                $embed_custom_cal_url = $parsed_url['scheme'] . '://' . $parsed_url['host'];
                $url = isset($parsed_url['path']) ? $parsed_url['path'] : '/';
            }
        }
        
        // Additional URL validation
        $embed_url = preg_replace('/[^a-zA-Z0-9\-_\/]/', '', $url);
    }

    if (isset($atts['type']) && $atts['type']) {
        $embed_type = sanitize_text_field($atts['type']);
        // Validate type is numeric
        if (!is_numeric($embed_type) || $embed_type < 1 || $embed_type > 3) {
            $embed_type = '1';
        }
    }

    if (isset($atts['text']) && $atts['text']) {
        // Proper sanitization for JavaScript output
        $embed_text = sanitize_text_field($atts['text']);
        // Remove any remaining script-related characters
        $embed_text = str_replace(['<', '>', '"', "'", '\\'], '', $embed_text);
    }

    return [
        'url' => $embed_url, 
        'type' => $embed_type, 
        'text' => $embed_text, 
        'customCalInstance' => esc_url_raw($embed_custom_cal_url)
    ];
}

function secure_calcom_embed($atts) {
    if (!$atts) {
        return '';
    }

    // Enqueue scripts
    wp_enqueue_script('calcom-embed-js');
    wp_enqueue_style('calcom-embed-css');

    switch ($atts['type']) {
        case '2':
            $output = '<span id="calcom-embed-link" data-cal-link="' . esc_attr($atts['url']) . '">' . esc_html($atts['text']) . '</span>';
            $output .= '<script>var customCalUrl = ' . wp_json_encode($atts['customCalInstance']) . ';</script>';
            break;
        case '3':
            $output = secure_calcom_floating_popup_script($atts['url'], $atts['text']);
            break;
        default:
            $output = '<div id="calcom-embed"></div>';
            $output .= secure_calcom_inline_script($atts['url'], $atts['customCalInstance']);
    }

    return $output;
}

function secure_calcom_inline_script($url, $custom_cal_url) {
    $script = '<script>
        addEventListener("DOMContentLoaded", (event) => {
            var customCalUrl = ' . wp_json_encode($custom_cal_url) . ';
            const selector = document.getElementById("calcom-embed");
            Cal("inline", {
                elementOrSelector: selector,
                calLink: ' . wp_json_encode($url) . '
            });
        });
    </script>';
    
    return $script;
}

function secure_calcom_floating_popup_script($url, $text) {
    $config = ['calLink' => $url];
    if (strlen($text) > 0) {
        $config['buttonText'] = $text;
    }
    
    $script = '<script>
        addEventListener("DOMContentLoaded", (event) => {
            Cal("floatingButton", ' . wp_json_encode($config) . ');
        });
    </script>';
    
    return $script;
}

Key fixes:

• Proper JavaScript escaping using wp_json_encode()
• Enhanced input validation and sanitization
• Prevents script injection through shortcode attributes

This should maintain all existing functionality while addressing the security vulnerability for the time being - apart from not fixing the original code and any error logging about that, you should be good w/ this. If anyone has edits, suggestions or updates to this, I am going to leave this open, since cal.com devs should still address this, if they ever get around to it.

[Carolelesud]

Hello,
Has the update been completed?
I still have the vulnerability on my WordPress site today.

I now manage my site on my own using DIVI.
I know how to use it, but not everything.

Could you please tell me where I should apply your fix?
At which place on the site? I’m not sure.

Thank you,
Carole

[jontprice]

Hello, Has the update been completed? I still have the vulnerability on my WordPress site today.
I now manage my site on my own using DIVI. I know how to use it, but not everything.
Could you please tell me where I should apply your fix? At which place on the site? I’m not sure.
Thank you, Carole

Hey Carole, below is a a link to a step-by-step guide on how you can safely implement this patch with some additional steps to avoid accidents or issues while doing it. The guide is inside a ChatGPT ai artifact- so the link should be around for a while, in case someone else has a similar need.

Before you do anything at all, create a backup of your site files and database and ensure that you can easily restore your site, should anything go sideways.

I'm just trying to be a good human and help someone else out here - so here's my CYA statement on this that I have to include, please read and understand this before you proceed:

In no way am I affiliated with Cal.com, the Cal.com Wordpress Plugin or their development team. I have no financial interest in the company or organization behind cal.com, Github, the Codesnippets plugin or Wordpress, nor do I stand to gain any financial benefit from them by providing this patch. By using this guide and patch as provided, you acknowledge and release me from any liability, damage or loss of any kind arising from the use of the guide, code and materials provided below.

WP, plugins and security exploits evolve over time, so I would highly recommend enabling auto-updates for WP, Divi, WP's plugin auto-updates for cal.com's plugin and the snippets plugin that's recommended in the guide. This way, you'll automatically receive any future updates or security patches, should an official Cal.com patch or update to the other components mentioned be released. Again - always back everything up first.

With that out of the way...

The full chat transcript and instructions are included in the link below as well as the review and assessment of the patch code and the current state of this vulnerability as of Feb 25, 2026. The guide is written for someone with admin-level access to their own WP site and basic WP knowledge at a novice level and assumes the user has the access and authority to implement the patch. In addition to the security and code review of the patch, and the backup you make of your site ahead of time, there are added steps outlined to help use the safe mode of the plugin to gracefully revert any changes, which you should also utilize to ensure that this is as safe, secure and problem-free as possible.

Hope this implementation guide is helpful to you, stay safe and best of luck!