Description
The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Hammas Calendar plugin for WordPress exposes a stored cross‑site scripting flaw in the ‘apix’ attribute of the ‘hp‑calendar‑manage‑redirect’ shortcode. Improper input sanitization and lack of output escaping allow malicious input to be persisted, causing browsers to execute arbitrary scripts when an affected page is viewed. This gives attackers the ability to hijack user sessions, deface sites, or perform further client‑side attacks. The weakness is identified as CWE‑79, a user input reflected without sanitization.

Affected Systems

Organisations running the Hammas Calendar WordPress plugin, specifically any installation using version 1.5.11 or earlier, are vulnerable. The CNA data identifies the product as innovaatik:Hammas Calendar; no further CPE strings are listed, so the scope is limited to this plugin rather than the WordPress core itself.

Risk and Exploitability

With a CVSS score of 6.4, the vulnerability is considered moderate. The EPSS score of less than 1% indicates a very low probability that the flaw is actively exploited. The issue is not listed in the CISA KEV catalog, and there is no publicly disclosed exploit known at this time. Attackers require authenticated Contributor‑level access or higher; the flaw can be triggered by submitting a malicious value for ‘apix’ in a context where the shortcode is rendered, leading to script execution for all users who view the affected content.

Generated by OpenCVE AI on April 15, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hammas Calendar plugin to the latest patched version that removes the vulnerability or a release beyond 1.5.11 if available.
  • Remove or restrict Contributor and above privileges for users that do not require them, thereby limiting the scope of potential exploitators.
  • Deploy a Content Security Policy that disallows execution of inline scripts or blocks known malicious sources, and consider using a web‑application firewall rule to detect or reject suspicious ‘apix’ inputs.

Generated by OpenCVE AI on April 15, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Innovaatik
Innovaatik hammas Calendar
Wordpress
Wordpress wordpress
Vendors & Products Innovaatik
Innovaatik hammas Calendar
Wordpress
Wordpress wordpress

Sat, 07 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Innovaatik Hammas Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:58.212Z

Reserved: 2026-02-04T15:08:30.694Z

Link: CVE-2026-1902

cve-icon Vulnrichment

Updated: 2026-03-09T19:00:27.137Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T02:16:11.893

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-1902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses