A vulnerability classified as problematic was found in lustmored Lockme calendars integration Plugin up to 2.11.0 on WordPress. Impacted is the function register_setting/update_option of the component Plugin Settings. Executing a manipulation of the argument client_id/client_secret/id_prefix/api_domain can lead to cross site scripting.

The identification of this vulnerability is CVE-2026-3367. The attack may be launched remotely. There is no exploit available.