CVE-2026-1902 in Hammas Calendar Plugin
Summary
by MITRE • 03/07/2026
The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/08/2026
The Hammas Calendar plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-1902, affecting all versions through 1.5.11. This vulnerability resides within the 'hp-calendar-manage-redirect' shortcode implementation where the 'apix' parameter fails to undergo proper input sanitization and output escaping mechanisms. The flaw specifically targets authenticated users who possess Contributor-level access or higher privileges within the WordPress environment, creating a significant security risk that can be exploited by attackers with relatively low privileges to compromise the entire WordPress installation.
The technical nature of this vulnerability stems from the plugin's inadequate validation of user-supplied input through the 'apix' parameter within the shortcode functionality. When an authenticated user with sufficient privileges creates or modifies content containing the vulnerable shortcode with malicious input in the 'apix' parameter, the malicious script gets stored within the WordPress database. This stored script then executes whenever any user, regardless of their privilege level, accesses a page containing the injected content, making the vulnerability particularly dangerous as it can affect all users who encounter the compromised page.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform various malicious activities including session hijacking, credential theft, redirection to malicious sites, and potential privilege escalation within the WordPress environment. The vulnerability's classification aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and follows the ATT&CK framework's technique T1566.001 - Phishing: Spearphishing Attachment, where attackers can leverage this vulnerability to deliver malicious payloads through seemingly legitimate calendar content that users may encounter during normal WordPress usage.
Organizations using the Hammas Calendar plugin should immediately implement mitigations including updating to the latest available version of the plugin, implementing proper input validation and output escaping mechanisms, and conducting comprehensive security audits of all user-generated content. Additionally, administrators should consider implementing web application firewalls to detect and block malicious input patterns, while also reviewing user permissions to ensure that only trusted individuals have Contributor-level access or higher. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly in content management systems where user-generated content can be executed across multiple user sessions.