ICS Calendar <= 12.0.9 - Reflected Cross-Site Scripting via 'htmltagtitle' Parameter

2026-07-09 19:52
Khanh Nguyen

Strategic Overview

Status
Patched in 12.0.9.2
Affected PluginICS Calendar
Affected Version<= 12.0.9
CVSS6.1Medium
CVECVE-2026-9838
View all ICS Calendar vulnerabilities

Vulnerability Overview

The ICS Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'htmltagtitle' parameter in all versions up to, and including, 12.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability is reachable via the unauthenticated wp_ajax_nopriv_r34ics_ajax AJAX action, which accepts attacker-controlled js_args values merged over stored shortcode configuration without nonce verification, allowing the htmltagtitle key to bypass the normal shortcode allowlist check.

Technical Analysis

REMEDIATION: Update to version 12.0.9.2, or a newer patched version --- IDENTIFIER: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C

ICS Calendar <= 12.0.9 - Reflected Cross-Site Scripting via 'htmltagtitle' Parameter (CVE-2026-9838)