Ics Calendar
Monthly
Reflected cross-site scripting in the ICS Calendar WordPress plugin (by Room 34 Creative Services) affects all versions from initial release through 12.1.1, letting an attacker craft a malicious URL that, when opened by a victim, injects arbitrary script into the rendered page. Because the CVSS scope is changed (S:C), successful execution can affect resources beyond the vulnerable component, including a logged-in administrator's WordPress session. No public exploit identified at time of analysis, and it is not on the CISA KEV list.
Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.
Reflected cross-site scripting in the ICS Calendar WordPress plugin (by Room 34 Creative Services) affects all versions from initial release through 12.1.1, letting an attacker craft a malicious URL that, when opened by a victim, injects arbitrary script into the rendered page. Because the CVSS scope is changed (S:C), successful execution can affect resources beyond the vulnerable component, including a logged-in administrator's WordPress session. No public exploit identified at time of analysis, and it is not on the CISA KEV list.
Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.