Vulnerabilities and security researches forics-calendar ics-calendar
Direction: ascendingJun 07, 2024
ICS Calendar # CVE-2023-46784
- CVE, Research URL
- Home page URL
- Application
- Date
- May 17, 2024
- Research Description
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Server-Side Request Forgery (SSRF) vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Absolute Path Traversal, : Server Side Request Forgery.This issue affects ICS Calendar: from n/a through 10.12.0.3.
- Affected versions
-
max 10.12.0.3.
- Status
-
vulnerable
ICS Calendar # 5a5b3bfb83aae5ce5dd681e1709f98df7a7d5845
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 23, 2023
- Research Description
- ICS Calendar [ics-calendar] < 10.12.0.2 ICS Calendar <= 10.12.0.1 - Authenticated(Contributor+) Directory Traversal via _url_get_contents The ICS Calendar plugin for WordPress is vulnerable to Directory Traversal in all versions up, and including, 10.12.0.1 via the _url_get_contents function. This makes it possible for authenticated attackers, with contributor access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
- Affected versions
-
max 10.12.0.2.
- Status
-
vulnerable
Jul 12, 2026
ICS Calendar # CVE-2026-9838
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 10, 2026
- Research Description
- The ICS Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'htmltagtitle' parameter in all versions up to, and including, 12.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability is reachable via the unauthenticated wp_ajax_nopriv_r34ics_ajax AJAX action, which accepts attacker-controlled js_args values merged over stored shortcode configuration without nonce verification, allowing the htmltagtitle key to bypass the normal shortcode allowlist check.
- Affected versions
-
max 12.0.9.2.
- Status
-
vulnerable
Jul 14, 2026
ICS Calendar # CVE-2026-59516
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 13, 2026
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1.
- Affected versions
-
max 12.1.1.1.
- Status
-
vulnerable