CVE-2025-3749
Published
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
The Breeze Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cal_size’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
<p>A plugin that brings in your Breeze church management software data (events, full calendar, pledges, donations and contributions) for display on your WordPress website. It can be displayed via widgets on a sidebar or shortcodes within pages and posts.</p>
<p>This plugin is built and supported by <a href="https://worshiptimes.org/" title="Worship Times Websites For Ministries" rel="nofollow ugc">Worship Times</a> and is not an official product of Breeze.</p>
<div class="embed-vimeo" style="text-align: center;"><iframe loading="lazy" src="https://player.vimeo.com/video/195973042" width="750" height="422" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe></div>
<div class="embed-vimeo" style="text-align: center;"><iframe loading="lazy" src="https://player.vimeo.com/video/401437498" width="750" height="422" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe></div>
WordPress Plugin Directory