CVE-2026-1922 identifies a stored cross-site scripting vulnerability in the 'The Events Calendar Shortcode & Block' WordPress plugin developed by brianhogg. The flaw resides in the insufficient sanitization and escaping of user-supplied input within the 'message' attribute of the 'ecs-list-events' shortcode. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages or posts by manipulating this attribute. Because the injected script is stored persistently, it executes in the context of any user who views the affected page, potentially compromising session tokens, redirecting users, or performing actions on their behalf. The vulnerability affects all plugin versions up to and including 3.1.2. The CVSS 3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change due to the script executing in other users' browsers. While no public exploits have been reported, the vulnerability's nature makes it a significant risk for websites with multiple contributors. The lack of output escaping and input validation in the shortcode's handling of the 'message' attribute is the root cause. Mitigation requires updating the plugin once a patch is available or applying manual input sanitization and output escaping. Additionally, limiting contributor privileges and monitoring for suspicious content can reduce risk.

For European organizations, this vulnerability poses a risk primarily to websites using WordPress with the affected plugin installed. The impact includes potential compromise of user accounts via session hijacking, defacement of web content, unauthorized actions performed on behalf of users, and possible data leakage. Since the exploit requires contributor-level access, insider threats or compromised contributor accounts are the main vectors. Organizations with public-facing event management sites or community portals using this plugin are at greater risk. The vulnerability could undermine user trust, lead to reputational damage, and cause compliance issues under GDPR if personal data is exposed or manipulated. The medium CVSS score indicates moderate risk, but the scope change and stored nature of the XSS increase the potential impact. European entities with multiple content contributors and high visitor traffic are especially vulnerable to cascading effects of such attacks.

1. Immediately update 'The Events Calendar Shortcode & Block' plugin to a patched version once released by the vendor. 2. Until a patch is available, restrict contributor-level permissions to trusted users only and review existing contributor accounts for suspicious activity. 3. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'message' attribute in the shortcode. 4. Employ input validation and output encoding on user-supplied content related to the shortcode, either via custom code or security plugins that sanitize shortcode attributes. 5. Regularly audit website content for injected scripts or unusual code snippets, especially in event-related pages. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Monitor logs for unusual POST requests or content changes associated with the shortcode. 8. Consider disabling the shortcode temporarily if it is not essential to reduce attack surface.