Skip to main content

Ics Calendar

2 CVEs product

Monthly

CVE-2026-59516 HIGH This Week

Reflected cross-site scripting in the ICS Calendar WordPress plugin (by Room 34 Creative Services) affects all versions from initial release through 12.1.1, letting an attacker craft a malicious URL that, when opened by a victim, injects arbitrary script into the rendered page. Because the CVSS scope is changed (S:C), successful execution can affect resources beyond the vulnerable component, including a logged-in administrator's WordPress session. No public exploit identified at time of analysis, and it is not on the CISA KEV list.

XSS Ics Calendar
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-9838 MEDIUM This Month

Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.

WordPress XSS Ics Calendar
NVD
CVSS 3.1
6.1
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the ICS Calendar WordPress plugin (by Room 34 Creative Services) affects all versions from initial release through 12.1.1, letting an attacker craft a malicious URL that, when opened by a victim, injects arbitrary script into the rendered page. Because the CVSS scope is changed (S:C), successful execution can affect resources beyond the vulnerable component, including a logged-in administrator's WordPress session. No public exploit identified at time of analysis, and it is not on the CISA KEV list.

XSS Ics Calendar
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.

WordPress XSS Ics Calendar
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy