PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3367 lustmored CVE debrief

The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The register_setting() call on line 197 lacks a sanitize callback, allowing unsanitized data to be stored via update_option(). When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without esc_attr() on line 212. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses the plugin settings page. Multiple fields are affected: App ID (client_id), App Secret (client_secret), Bookings ID prefix (id_prefix), and API domain (api_domain). This vulnerability is particularly impactful in WordPress multisite installations where administrators of individual sites should not be able to execute JavaScript affecting other users.

Vendor
lustmored
Product
Lockme calendars integration
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Administrators of WordPress installations using the Lockme OAuth2 calendars integration plugin, especially those with multisite installations, should be aware of this vulnerability and take immediate action to protect their sites.

Technical summary

The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping in the 'App ID' setting. The vulnerability exists in all versions up to and including 2.11.0. The issue arises from the lack of a sanitize callback in the register_setting() call on line 197, allowing unsanitized data to be stored. When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without proper escaping on line 212. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts, which will execute when a user accesses the plugin settings page. The vulnerability affects multiple fields, including App ID (client_id), App Secret (client_secret), Bookings ID prefix (id_prefix), and API domain (api_domain). The impact is particularly significant in WordPress multisite installations, where individual site administrators should not be able to execute JavaScript affecting other users.

Defensive priority

High

Recommended defensive actions

  • Update the Lockme OAuth2 calendars integration plugin to a version beyond 2.11.0, if available.
  • Implement a Web Application Firewall (WAF) to detect and prevent common XSS attacks.
  • Regularly monitor plugin settings pages for suspicious activity.
  • Restrict administrator-level access to only trusted users.
  • Consider using a security plugin that provides additional protection against XSS attacks.

Evidence notes

The CVE record was published on 2026-07-11T04:17:23.670Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to public CVE and NVD data. Defenders should verify the affected plugin versions, review the plugin's settings page for suspicious activity, and monitor for potential JavaScript injection attempts. Additional verification tasks may be necessary to confirm the vulnerability's impact on specific WordPress installations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T04:17:23.670Z and has not been modified since then.