Security Alert Summary
The InteractiveCalculator for WordPress plugin contains a stored Cross-Site Scripting (XSS) vulnerability in the plugin’s interactivecalculator shortcode. Insufficient input sanitization and output escaping of user-supplied shortcode attributes allow authenticated users with contributor-level access and above to inject scripts that execute when an injected page is viewed.
CVE Details
- CVE ID: CVE-2026-1807
- Affected plugin / component: The InteractiveCalculator for WordPress plugin for WordPress
- Affected versions: All versions up to, and including, 1.0.3
- Published: February 18, 2026 at 7:16:09 AM UTC
- Last modified: February 18, 2026 at 7:16:09 AM UTC
- CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User Interaction: Requires authenticated user with low privileges (contributor-level access and above). User interaction: None required. Attack vector: Network.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / Weakness: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored Cross-Site Scripting (XSS) issue triggered via the plugin’s interactivecalculator shortcode. According to the CVE description, user-supplied shortcode attributes are not sufficiently sanitized or escaped on output. Because the malicious input is stored and rendered in pages, an authenticated attacker with contributor-level privileges (or higher) can inject arbitrary JavaScript that will execute in the browser of any user who views the affected page.
The underlying cause is missing or insufficient input validation and output escaping for shortcode attribute values. The CVE entry does not name specific PHP functions or REST endpoints beyond the shortcode itself.
How This Could Impact Your Website
In a typical small business WordPress site, an external contractor or a staff member with contributor access could add or edit content that includes the vulnerable shortcode attributes. If an attacker injects a script, other users who view the page (site owners, internal staff, or other contributors) could have that script executed in their browsers. Practical consequences aligned with the CVSS impact include exposure of low-sensitivity data visible to the browser (for example, profile details accessible in the page context), and an increased risk of targeted phishing or social engineering against staff based on information that can be collected from affected pages.
The vulnerability does not indicate destruction of availability, and its confidentiality and integrity impacts are rated low, but it still enables unwanted script execution in user browsers which can be used for session-related or content manipulation attacks. professional review may help determine whether your site roles or plugin usage expose you to this issue.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles; limit contributor access where possible.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and audit recent content changes for unexpected shortcode usage or injected scripts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/interactivecalculator/tags/1.0.1/interactivecalculator.php#L44
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3456849%40interactivecalculator&new=3456849%40interactivecalculator&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3456870%40interactivecalculator&new=3456870%40interactivecalculator&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5c38f080-59c7-4201-9e87-87ee9ab6b97b?source=cve