CVE-2023-4995: 
WordPress vulnerability analysis and mitigation

The Embed Calendly plugin for WordPress (versions up to 3.6) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-4995) discovered in October 2023. The vulnerability exists in the 'calendly' shortcode functionality due to insufficient input sanitization and output escaping on user-supplied attributes (NVD CVE).

The vulnerability allows authenticated users with contributor-level permissions or higher to inject arbitrary web scripts into pages through the 'calendly' shortcode. The scripts execute when users access the compromised pages. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity but requiring privileged access (NVD CVE).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when they visit affected pages. This can lead to theft of sensitive information, session hijacking, or other client-side attacks targeting site visitors (NVD CVE).

Users should update to a version newer than 3.6 of the Embed Calendly plugin. Until an update can be applied, site administrators should review and restrict contributor-level access to trusted users only (NVD CVE).