cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forics-calendar ics-calendar

Direction: ascending
Jun 07, 2024

ICS Calendar # CVE-2023-46784

CVE, Research URL

CVE-2023-46784

Application

ICS Calendar

Date
May 17, 2024
Research Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Server-Side Request Forgery (SSRF) vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Absolute Path Traversal, : Server Side Request Forgery.This issue affects ICS Calendar: from n/a through 10.12.0.3.
Affected versions
max 10.12.0.3.
Status
vulnerable

ICS Calendar # 5a5b3bfb83aae5ce5dd681e1709f98df7a7d5845

Application

ICS Calendar

Date
Oct 23, 2023
Research Description
ICS Calendar [ics-calendar] < 10.12.0.2 ICS Calendar <= 10.12.0.1 - Authenticated(Contributor+) Directory Traversal via _url_get_contents The ICS Calendar plugin for WordPress is vulnerable to Directory Traversal in all versions up, and including, 10.12.0.1 via the _url_get_contents function. This makes it possible for authenticated attackers, with contributor access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected versions
max 10.12.0.2.
Status
vulnerable
Jul 12, 2026

ICS Calendar # CVE-2026-9838

CVE, Research URL

CVE-2026-9838

Application

ICS Calendar

Date
Jul 10, 2026
Research Description
The ICS Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'htmltagtitle' parameter in all versions up to, and including, 12.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability is reachable via the unauthenticated wp_ajax_nopriv_r34ics_ajax AJAX action, which accepts attacker-controlled js_args values merged over stored shortcode configuration without nonce verification, allowing the htmltagtitle key to bypass the normal shortcode allowlist check.
Affected versions
max 12.0.9.2.
Status
vulnerable
Jul 14, 2026

ICS Calendar # CVE-2026-59516

CVE, Research URL

CVE-2026-59516

Application

ICS Calendar

Date
Jul 13, 2026
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1.
Affected versions
max 12.1.1.1.
Status
vulnerable