Attack Vectors
CVE-2025-31604 is a Medium severity Stored Cross-Site Scripting (XSS) issue affecting the Cal.com WordPress plugin (slug: cal-com) in versions up to and including 1.0.0. The vulnerability can be exploited by an authenticated user with Contributor-level access or higher, allowing them to inject malicious script into content that is later viewed by others.
Because this is a stored XSS, the injected code can execute whenever a visitor or staff member loads the affected page(s). In practical terms, this means a compromised or malicious contributor account can plant harmful code that impacts customers, marketing teams, and administrators who browse site content.
Reference: CVE-2025-31604. Severity context: CVSS 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
Security Weakness
The root cause is insufficient input sanitization and output escaping within the Cal.com plugin (versions <= 1.0.0). When user-supplied content is not properly cleaned on the way in (sanitization) and safely rendered on the way out (escaping), it can be interpreted by browsers as executable script instead of plain text.
This issue is especially relevant for organizations that grant Contributor access for marketing workflows (guest authors, agencies, interns, contractors). Even if those users cannot publish directly in all configurations, content that eventually gets published or displayed can become a delivery mechanism for malicious scripts.
Technical or Business Impacts
Stored XSS commonly creates business risk beyond “website defacement.” If exploited, it can undermine brand trust and campaign integrity by silently altering on-page content, redirecting visitors, or injecting misleading calls-to-action that damage conversion performance.
From a governance and compliance standpoint, stored XSS can be used to capture sensitive information available in the browser session (for example, data entered into forms or information exposed to logged-in users), and it can enable actions performed in a user’s context when they view the injected page. This can lead to incident response costs, reputational harm, and audit findings—especially if affected pages are customer-facing or used in regulated workflows.
Remediation: Update the Cal.com plugin to version 2.0.0 or a newer patched version, per the vendor guidance. As additional risk reduction, review who has Contributor (or higher) access, remove unused accounts, and audit recently edited content for unexpected scripts.
Similar Attacks
Stored XSS has a long history of being used to hijack sessions, alter content, and compromise administrative users. A well-known example in the WordPress ecosystem is a stored XSS vulnerability that affected WordPress core (comments handling) and was tracked as CVE-2015-3440.
Source for this Cal.com vulnerability disclosure: Wordfence Threat Intelligence.
Recent Comments