CVE-2026-1922 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WordPress plugin 'The Events Calendar Shortcode & Block' by brianhogg. The vulnerability exists in all versions up to and including 3.1.2 due to insufficient sanitization and escaping of user-supplied input in the 'message' attribute of the 'ecs-list-events' shortcode. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into event pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the infected page and has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability can affect other users beyond the attacker. No patches or official fixes are linked yet, and no known exploits have been observed in the wild. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content to be rendered on public pages.

The impact of CVE-2026-1922 is significant for organizations using the affected plugin on WordPress sites, particularly those that allow contributor-level users to create or edit event content. Exploitation can lead to session hijacking, unauthorized actions performed in the context of other users (including administrators), defacement, or distribution of malware via injected scripts. This can compromise the confidentiality and integrity of user data and site content. While availability is not directly impacted, the reputational damage and potential data breaches can be severe. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by access controls; however, many WordPress sites have multiple contributors or editors, increasing the attack surface. The scope change means that the vulnerability affects other users beyond the attacker, amplifying the potential damage. Organizations with public-facing event calendars or community-driven content are particularly vulnerable to exploitation and subsequent attacks such as phishing or privilege escalation.

To mitigate CVE-2026-1922, organizations should immediately restrict contributor-level permissions to trusted users only and audit existing event content for suspicious scripts. Applying the latest plugin updates once available is critical; if no patch is yet released, consider temporarily disabling the 'The Events Calendar Shortcode & Block' plugin or removing the vulnerable shortcode usage from pages. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'message' attribute can provide interim protection. Additionally, site administrators should enforce Content Security Policy (CSP) headers to limit script execution sources and regularly scan the site for injected malicious code. Educating contributors about safe content practices and monitoring logs for unusual activity can help detect exploitation attempts early. Finally, consider using security plugins that sanitize shortcode inputs or employing custom filters to validate and escape user inputs before rendering.