Cross-Site Scripting (XSS) Exploit Vulnerability + 0 updates / responses to WP Plug issues

[jontprice]

Just posting here in case someone at cal.com cares - not that updates to this are a thing, but yea:

Security vulnerability in Cal.com plugin (CVE-2025-31604)
Plugin: Cal.com (<= 1.0.0)
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
CVE: CVE-2025-31604
Severity: Medium (CVSS 6.5)
Details: Improper neutralization of script-related HTML tags (e.g. <, "), potentially exploitable by users with Contributor role or higher.
As far as we can tell, the issue is still unfixed. Could you confirm whether a patch is in development or planned?

• that's a pickup from the support ticket in WP plugin repo.

[jontprice]

Temporary Fix for CVE-2025-31604 XSS Vulnerability

Until this plugin is updated, here's a workaround that can be added to your functions.php to patch this thing for now :

<?php
// Add this to your theme's functions.php or create a custom plugin

// Fix for Cal.com plugin XSS vulnerability (CVE-2025-31604)
add_action('init', 'fix_calcom_xss_vulnerability', 20);

function fix_calcom_xss_vulnerability() {
    if (class_exists('CalCom\Embed')) {
        // Remove the original shortcode
        remove_shortcode('cal');
        
        // Add our secure version
        add_shortcode('cal', 'secure_calcom_shortcode');
    }
}

function secure_calcom_shortcode($atts) {
    $atts = secure_calcom_prepare_atts($atts);
    return secure_calcom_embed($atts);
}

function secure_calcom_prepare_atts($atts) {
    if (!$atts) {
        return [];
    }

    $embed_url = '';
    $embed_type = '1';
    $embed_text = 'Book me';
    $embed_custom_cal_url = '';

    if (isset($atts['url']) && $atts['url']) {
        $url = sanitize_text_field($atts['url']);
        
        // Validate URL format
        if (str_contains($atts['url'], 'https://cal.com/')) {
            $url = str_replace('https://cal.com/', '/', $url);
        } elseif (str_contains($atts['url'], 'https://') || str_contains($atts['url'], 'http://')) {
            $parsed_url = parse_url($url);
            if ($parsed_url && isset($parsed_url['host'])) {
                $embed_custom_cal_url = $parsed_url['scheme'] . '://' . $parsed_url['host'];
                $url = isset($parsed_url['path']) ? $parsed_url['path'] : '/';
            }
        }
        
        // Additional URL validation
        $embed_url = preg_replace('/[^a-zA-Z0-9\-_\/]/', '', $url);
    }

    if (isset($atts['type']) && $atts['type']) {
        $embed_type = sanitize_text_field($atts['type']);
        // Validate type is numeric
        if (!is_numeric($embed_type) || $embed_type < 1 || $embed_type > 3) {
            $embed_type = '1';
        }
    }

    if (isset($atts['text']) && $atts['text']) {
        // Proper sanitization for JavaScript output
        $embed_text = sanitize_text_field($atts['text']);
        // Remove any remaining script-related characters
        $embed_text = str_replace(['<', '>', '"', "'", '\\'], '', $embed_text);
    }

    return [
        'url' => $embed_url, 
        'type' => $embed_type, 
        'text' => $embed_text, 
        'customCalInstance' => esc_url_raw($embed_custom_cal_url)
    ];
}

function secure_calcom_embed($atts) {
    if (!$atts) {
        return '';
    }

    // Enqueue scripts
    wp_enqueue_script('calcom-embed-js');
    wp_enqueue_style('calcom-embed-css');

    switch ($atts['type']) {
        case '2':
            $output = '<span id="calcom-embed-link" data-cal-link="' . esc_attr($atts['url']) . '">' . esc_html($atts['text']) . '</span>';
            $output .= '<script>var customCalUrl = ' . wp_json_encode($atts['customCalInstance']) . ';</script>';
            break;
        case '3':
            $output = secure_calcom_floating_popup_script($atts['url'], $atts['text']);
            break;
        default:
            $output = '<div id="calcom-embed"></div>';
            $output .= secure_calcom_inline_script($atts['url'], $atts['customCalInstance']);
    }

    return $output;
}

function secure_calcom_inline_script($url, $custom_cal_url) {
    $script = '<script>
        addEventListener("DOMContentLoaded", (event) => {
            var customCalUrl = ' . wp_json_encode($custom_cal_url) . ';
            const selector = document.getElementById("calcom-embed");
            Cal("inline", {
                elementOrSelector: selector,
                calLink: ' . wp_json_encode($url) . '
            });
        });
    </script>';
    
    return $script;
}

function secure_calcom_floating_popup_script($url, $text) {
    $config = ['calLink' => $url];
    if (strlen($text) > 0) {
        $config['buttonText'] = $text;
    }
    
    $script = '<script>
        addEventListener("DOMContentLoaded", (event) => {
            Cal("floatingButton", ' . wp_json_encode($config) . ');
        });
    </script>';
    
    return $script;
}

Key fixes:

• Proper JavaScript escaping using wp_json_encode()
• Enhanced input validation and sanitization
• Prevents script injection through shortcode attributes

This should maintain all existing functionality while addressing the security vulnerability for the time being - apart from not fixing the original code and any error logging about that, you should be good w/ this. If anyone has edits, suggestions or updates to this, I am going to leave this open, since cal.com devs should still address this, if they ever get around to it.