CVE-2026-1807 in InteractiveCalculator Plugin
Summary
by MITRE • 02/18/2026
The InteractiveCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interactivecalculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2026
The InteractiveCalculator WordPress plugin presents a critical stored cross-site scripting vulnerability that affects versions through 1.0.3, creating a significant security risk for WordPress installations. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's 'interactivecalculator' shortcode implementation, allowing malicious actors to inject persistent malicious scripts into the application's content. The flaw specifically targets user-supplied attributes that are processed through the shortcode without proper validation or sanitization, creating a persistent vector for attack that can affect any user who accesses pages containing the injected content.
The technical exploitation of this vulnerability requires an attacker to possess contributor-level access or higher within the WordPress environment, which represents a concerning privilege escalation risk given the relatively low barrier to entry for this access level. Once authenticated, attackers can leverage the shortcode parameter handling to inject malicious JavaScript code that persists in the database and executes whenever any user views pages containing the compromised content. This stored nature of the vulnerability means that the malicious scripts remain active even after the initial injection, continuously affecting all users who encounter the compromised pages until the malicious content is manually removed or the vulnerability is patched.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, data exfiltration, and redirection to malicious sites. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of secure coding practices that require proper input validation and output encoding. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1566.001 for credential access through spearphishing attachments and T1059.001 for command and control through scripting, as attackers can establish persistent access through the injected scripts. The vulnerability affects the integrity and availability of the WordPress site, potentially compromising user data and the overall security posture of the organization.
Organizations should immediately implement mitigation strategies including restricting contributor-level access to only trusted personnel, applying the latest plugin updates once available, and implementing input validation measures at the web application firewall level. Security teams should monitor for suspicious shortcode usage patterns and conduct thorough audits of all user-generated content to identify potential injection attempts. The vulnerability highlights the importance of proper security testing and code review processes, particularly for plugins that handle user input through shortcodes or similar mechanisms. Additionally, implementing Content Security Policy headers and regular security scanning can provide additional defense-in-depth measures to protect against similar vulnerabilities in the future.