Reflected Cross-Site Scripting Vulnerability in ICS Calendar Plugin for WordPress
CVE-2026-9838
6.1MEDIUM
What is CVE-2026-9838?
The ICS Calendar plugin for WordPress is susceptible to reflected Cross-Site Scripting (XSS). This vulnerability arises from inadequate input sanitization and output escaping, specifically through the 'htmltagtitle' parameter. Attackers can exploit this flaw by enticing users to click on malicious links, resulting in the execution of arbitrary web scripts. The vulnerability can be accessed via the unauthenticated wp_ajax_nopriv_r34ics_ajax action, which accepts unvalidated js_args. This allows the htmltagtitle key to bypass standard shortcode allowlist checks, putting users at risk.
Affected Version(s)
ICS Calendar 0 <= 12.0.9