This vulnerability is found in the Hammas Calendar plugin, where the 'apix' parameter within the 'hp-calendar-manage-redirect' shortcode does not have proper sanitization and escaping. As a result, attackers with at least Contributor-level access can exploit this flaw to input harmful scripts that persist within the website. When other users, including administrators and visitors, access the page where the script is injected, the script executes in their browsers. This could lead to unauthorized actions or data theft, compromising both user security and website integrity. The issue arises from inadequate validation of input data and echo of output without encoding HTML entities, a common pathway for XSS attacks. Consequently, the vulnerability can affect user browsers and potentially escalate in severity by affecting authenticated sessions.

To mitigate this vulnerability, site administrators should restrict Contributor-level access only to trusted individuals. Additionally, consider using security plugins that provide additional input sanitization and output escaping. Regularly audit and update all plugins and themes to minimize exposure to known vulnerabilities.