Attack Vectors

CVE-2025-62752 affects the WordPress plugin Calendar.online / Kalender.digital (plugin slug: kalender-digital) in versions up to and including 1.0.13. This is a Medium severity issue (CVSS 6.4), and it requires an attacker to be an authenticated WordPress user with Contributor-level access or higher.

The primary attack vector is misuse of normal content and page-building workflows where plugin-related inputs can be saved. Because this is a stored cross-site scripting (XSS) vulnerability, the attacker’s injected script is persisted and then runs automatically when someone later views the affected page.

Security Weakness

The underlying weakness is insufficient input sanitization and output escaping in Calendar.online / Kalender.digital versions ≤ 1.0.13. In practical terms, the plugin does not adequately prevent malicious script content from being saved and then rendered back to visitors or logged-in users.

Because the vulnerability is stored and can execute when a page is viewed, it can impact internal staff as well as customers—especially if high-privilege users (such as administrators) visit the injected page during routine review, approval, or publishing processes.

Technical or Business Impacts

Stored XSS in a business website is more than a “website glitch.” It can lead to account compromise (for example, if a privileged user’s browser session is abused), unauthorized changes to site content, and potential misuse of trusted brand channels.

For marketing directors and executives, the risk concentrates around brand trust and operational disruption: defaced landing pages, altered calls-to-action, malicious redirects, or injected content that harms campaign performance and damages reputation.

For compliance and risk teams, stored script execution on public-facing pages can become a governance issue—particularly if it enables unauthorized content modification, impacts customer communications, or increases the likelihood of downstream incidents that require disclosure, investigation, or audit response.

Recommended remediation: update Calendar.online / Kalender.digital to version 1.0.14 or later (patched). Consider reviewing which users have Contributor (or higher) access and tightening publishing workflows to reduce the likelihood of abuse.

Similar Attacks

Stored XSS has been repeatedly used in real-world web attacks to inject scripts that execute in a trusted site context. For additional background, see:

CISA Known Exploited Vulnerabilities Catalog update (includes XSS-related items in multiple products)
Cloudflare overview: Cross-Site Scripting (XSS)
OWASP: Cross Site Scripting (XSS)