Reflected Cross-Site Scripting Vulnerability in ICS Calendar Plugin for WordPress
CVE-2026-9838

6.1MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
10 July 2026

What is CVE-2026-9838?

The ICS Calendar plugin for WordPress is susceptible to reflected Cross-Site Scripting (XSS). This vulnerability arises from inadequate input sanitization and output escaping, specifically through the 'htmltagtitle' parameter. Attackers can exploit this flaw by enticing users to click on malicious links, resulting in the execution of arbitrary web scripts. The vulnerability can be accessed via the unauthenticated wp_ajax_nopriv_r34ics_ajax action, which accepts unvalidated js_args. This allows the htmltagtitle key to bypass standard shortcode allowlist checks, putting users at risk.

Affected Version(s)

ICS Calendar 0 <= 12.0.9

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Khanh Nguyen
.