CVE-2026-1902: Hammas Calendar WordPress Plugin XSS Flaw

CVE-2026-1902 Overview

The Hammas Calendar plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the apix parameter within the hp-calendar-manage-redirect shortcode. All versions up to and including 1.5.11 are affected due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with Contributor-level access or above to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.

Critical Impact

Authenticated attackers can persistently inject malicious scripts that execute in the browsers of all users who view affected pages, potentially leading to session hijacking, credential theft, or website defacement.

Affected Products

• Hammas Calendar WordPress Plugin versions up to and including 1.5.11
• WordPress sites with Contributor-level or higher user access enabled

Discovery Timeline

• 2026-03-07 - CVE CVE-2026-1902 published to NVD
• 2026-03-09 - Last updated in NVD database

Technical Details for CVE-2026-1902

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability exists within the Hammas Calendar WordPress plugin's shortcode implementation. The hp-calendar-manage-redirect shortcode accepts an apix parameter that fails to properly sanitize user-supplied input before rendering it in the page output. When an authenticated user with at least Contributor privileges inserts malicious JavaScript through this parameter, the script payload is stored in the WordPress database and subsequently executed in the browsers of all visitors who view the affected page.

The vulnerability's scope extends beyond the vulnerable component itself, as injected scripts can access cookies, session tokens, and other sensitive information from the victim's browser context. This cross-site impact enables attackers to potentially compromise administrative accounts if administrators view pages containing the malicious payload.

Root Cause

The root cause of this vulnerability is insufficient input sanitization and output escaping within the plugin's shortcode handler. The apix parameter value is accepted from shortcode attributes and rendered directly into the HTML output without proper escaping functions such as esc_attr(), esc_html(), or wp_kses(). This failure to validate and sanitize user input before output allows script tags and event handlers to be injected and executed as part of the page content.

The vulnerable code paths can be traced through the plugin's main file and the HpPlugin.php source file.

Attack Vector

The attack requires network access and authenticated access with at least Contributor-level permissions. An attacker can craft a malicious shortcode containing JavaScript in the apix parameter and embed it within a WordPress post or page. When the content is saved, the payload is stored in the database. Upon any user viewing the affected page, the stored script executes in their browser context.

The attack mechanism involves embedding crafted shortcode attributes within WordPress content that the plugin processes without adequate sanitization. Since the vulnerability is stored rather than reflected, the malicious payload persists and affects all subsequent page visitors until the content is remediated.

Detection Methods for CVE-2026-1902

Indicators of Compromise

• Unusual JavaScript code embedded within WordPress posts or pages containing the hp-calendar-manage-redirect shortcode
• Unexpected apix parameter values containing script tags, event handlers, or encoded JavaScript
• Suspicious user activity from Contributor-level accounts creating or editing content with calendar shortcodes
• Browser console errors or unexpected script execution on pages using the Hammas Calendar plugin

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block XSS payloads in shortcode parameters
• Review WordPress database content for stored XSS patterns within shortcode attributes
• Monitor WordPress user activity logs for unusual content modifications by lower-privileged users
• Deploy endpoint detection solutions to identify malicious script execution in browser contexts

Monitoring Recommendations

• Enable WordPress audit logging to track all post and page modifications
• Configure alerts for shortcode usage patterns that include potentially malicious character sequences
• Monitor for unauthorized cookie access or session token exfiltration attempts
• Implement Content Security Policy (CSP) headers to restrict inline script execution

How to Mitigate CVE-2026-1902

Immediate Actions Required

• Update the Hammas Calendar plugin to a patched version immediately if available
• Temporarily disable the Hammas Calendar plugin if no patch is currently available
• Audit existing content for any malicious shortcode injections in the apix parameter
• Review and restrict Contributor-level user permissions where possible
• Implement a Web Application Firewall with XSS protection rules

Patch Information

A security update addressing this vulnerability is tracked in the WordPress changeset history. For detailed vulnerability information, refer to the Wordfence Vulnerability Report. Organizations should apply the latest available plugin update through the WordPress admin dashboard or replace the plugin files with patched versions from the official WordPress plugin repository.

Workarounds

• Disable the Hammas Calendar plugin entirely until a security patch is applied
• Remove Contributor-level access from untrusted users to prevent exploitation
• Implement Content Security Policy headers to mitigate script execution from injected payloads
• Deploy a WAF rule to filter requests containing XSS patterns in shortcode parameters

# WordPress CLI command to deactivate the vulnerable plugin
wp plugin deactivate hammas-calendar

# Search for potentially malicious shortcode content in the database
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%hp-calendar-manage-redirect%' AND post_content LIKE '%<script%'"