CVE-2026-9838 in ICS Calendar Plugininfo

Summary

by MITRE • 07/10/2026

The ICS Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'htmltagtitle' parameter in all versions up to, and including, 12.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability is reachable via the unauthenticated wp_ajax_nopriv_r34ics_ajax AJAX action, which accepts attacker-controlled js_args values merged over stored shortcode configuration without nonce verification, allowing the htmltagtitle key to bypass the normal shortcode allowlist check.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The ICS Calendar plugin for WordPress represents a critical security vulnerability through its implementation of reflected cross-site scripting in versions up to and including 12.0.9. This flaw exists within the plugin's handling of user input through the htmltagtitle parameter, which fails to implement proper sanitization measures and output escaping mechanisms. The vulnerability stems from insufficient validation of input data that flows into the plugin's AJAX processing endpoint, creating an attack surface that can be exploited by unauthenticated threat actors seeking to execute malicious scripts within the context of affected WordPress installations.

The technical exploitation of this vulnerability occurs through the wp_ajax_nopriv_r34ics_ajax AJAX action which operates without proper authentication requirements, making it accessible to any user without credentials. This endpoint accepts attacker-controlled js_args values that are merged with stored shortcode configurations without adequate nonce verification procedures. The merging process allows the htmltagtitle key to bypass the normal shortcode allowlist validation checks that would typically prevent unauthorized parameter injection. This design flaw creates a direct pathway for malicious input to be processed and executed within the plugin's output rendering, effectively transforming legitimate plugin functionality into an attack vector.

The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform various malicious activities including session hijacking, data exfiltration, and user interface manipulation. The reflected nature of the XSS means that successful exploitation requires social engineering to trick users into clicking on malicious links containing crafted payloads, but once triggered, the attack can persist across user sessions until the malicious content is removed from the plugin's configuration. Attackers can leverage this vulnerability to inject persistent scripts that monitor user interactions, steal authentication tokens, or redirect users to malicious domains, making it particularly dangerous in environments where multiple users interact with the calendar functionality.

Security professionals should note this vulnerability aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and follows attack patterns associated with ATT&CK technique T1566.002 - Phishing via Service. The lack of proper input validation combined with the absence of nonce verification in the AJAX endpoint creates a fundamental security weakness that violates standard web application security practices. Organizations should immediately upgrade to patched versions of the plugin or implement temporary mitigations including restricting access to the vulnerable AJAX endpoint and monitoring for suspicious activity related to calendar shortcode usage. Additionally, administrators should review and harden their WordPress installations through proper input sanitization procedures and implement comprehensive security monitoring to detect potential exploitation attempts.

The vulnerability demonstrates how seemingly minor implementation flaws in plugin code can create significant security risks when multiple security controls fail simultaneously. The combination of insufficient output escaping, lack of input validation, and absence of authentication checks creates a perfect storm for XSS exploitation. This case highlights the importance of proper security testing during plugin development and the necessity of implementing defense-in-depth strategies that protect against multiple attack vectors simultaneously. Organizations relying on WordPress plugins must maintain current security awareness and regularly audit their installations to identify and remediate similar vulnerabilities that could compromise user data and system integrity.

Responsible

Wordfence

Reservation

05/28/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!