Cross-Site Scripting Vulnerability in ICS Calendar by Room 34 Creative Services, LLC
CVE-2026-59516

7.1HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
13 July 2026

What is CVE-2026-59516?

The ICS Calendar plugin by Room 34 Creative Services, LLC contains a Cross-Site Scripting vulnerability that allows attackers to execute arbitrary JavaScript in the context of a victim's session. This occurs due to improper neutralization of user input when generating web pages, particularly impacting users with versions up to 12.1.1. Attackers can exploit this vulnerability to manipulate web content, potentially leading to session hijacking or data theft. Maintaining updated versions is crucial to mitigate associated risks.

Affected Version(s)

ICS Calendar 0 <= 12.1.1

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ba Khanh | Patchstack Bug Bounty Program
.