{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1922", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T18:02:34.066Z", "datePublished": "2026-02-10T09:26:05.694Z", "dateUpdated": "2026-04-08T17:18:25.627Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:25.627Z"}, "affected": [{"vendor": "brianhogg", "product": "The Events Calendar Shortcode & Block", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ecs-list-events` shortcode `message` attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "The Events Calendar Shortcode & Block <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb302539-97e7-4b2c-865d-bd81919647ae?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar-shortcode/tags/3.1.1/the-events-calendar-shortcode.php#L486"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar-shortcode/trunk/the-events-calendar-shortcode.php#L486"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3454586%40the-events-calendar-shortcode&old=3448663%40the-events-calendar-shortcode&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-04T22:23:02.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-09T20:37:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T16:10:41.624069Z", "id": "CVE-2026-1922", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:10:59.035Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1922", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T16:10:41.624069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:10:47.501Z"}}], "cna": {"title": "The Events Calendar Shortcode & Block <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "brianhogg", "product": "The Events Calendar Shortcode & Block", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-04T22:23:02.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-09T20:37:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb302539-97e7-4b2c-865d-bd81919647ae?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar-shortcode/tags/3.1.1/the-events-calendar-shortcode.php#L486"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar-shortcode/trunk/the-events-calendar-shortcode.php#L486"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3454586%40the-events-calendar-shortcode&old=3448663%40the-events-calendar-shortcode&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ecs-list-events` shortcode `message` attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:25.627Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1922", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:25.627Z", "dateReserved": "2026-02-04T18:02:34.066Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-10T09:26:05.694Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ecs-list-events` shortcode `message` attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin The Events Calendar Shortcode &amp; Block para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del atributo 'message' del shortcode 'ecs-list-events' del plugin en todas las versiones hasta la 3.1.2, e incluyendo, debido a una sanitizaci\u00f3n de entrada y escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1922", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-10T10:15:57.883", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar-shortcode/tags/3.1.1/the-events-calendar-shortcode.php#L486"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar-shortcode/trunk/the-events-calendar-shortcode.php#L486"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3454586%40the-events-calendar-shortcode&old=3448663%40the-events-calendar-shortcode&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb302539-97e7-4b2c-865d-bd81919647ae?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.2]"}}], "product": "the_events_calendar_shortcode_&_block", "vendor": "brian_hogg"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T21:17:31.188027+00:00", "value": {"mitigation_remediation": ["Update the plugin to a version newer than 3.1.2 once it is available.", "If an upgrade is not possible, restrict contributor\u2011level users from adding or editing shortcodes, or use a role\u2011based access plugin to remove the capability to edit content containing shortcodes.", "As an interim measure, remove or sanitize the ecs\u2011list\u2011events shortcode from existing content, or replace it with a manually sanitized version that escapes the message attribute."], "summary": {"action": "Upgrade Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the The Events Calendar Shortcode & Block plugin developed by Brian Hogg, in all versions up to and including 3.1.2.", "description_and_impact": "The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to a stored Cross\u2011Site Scripting flaw in the ecs\u2011list\u2011events shortcode message attribute. An attacker with contributor\u2011level or higher privileges can embed arbitrary JavaScript that runs whenever a page containing the injected shortcode is displayed.", "risk_and_exploitability": "The severity score is CVSS 6.4, indicating moderate risk, and the computed EPSS score is less than 1%, suggesting a low probability of exploitation at present. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers must first gain authenticated access with at least contributor rights and then supply a crafted shortcode to store the malicious payload."}}}}, "created": "2026-02-10T11:34:23.804753+00:00", "updated": "2026-04-15T21:30:13.888691+00:00", "vendors": ["brian_hogg", "brian_hogg$PRODUCT$the_events_calendar_shortcode_&_block", "wordpress", "wordpress$PRODUCT$wordpress"]}