CVE-2026-59516
Received Received - Intake

ICS Calendar Reflected Cross-Site Scripting Vulnerability

Vulnerability report for CVE-2026-59516, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Patchstack

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
room_34_creative_services_llc ics_calendar 12.1.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Cross Site Scripting (XSS) issue found in the WordPress ICS Calendar Plugin, versions up to and including 12.1.1. It occurs because the plugin improperly neutralizes input during web page generation, allowing attackers to inject malicious scripts.

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page, and can happen without authentication.

Attackers can use this vulnerability to inject malicious scripts like redirects or advertisements into the affected website.

Detection Guidance

This vulnerability is a reflected Cross Site Scripting (XSS) issue in the ICS Calendar WordPress plugin up to version 12.1.1. Detection typically involves monitoring for suspicious HTTP requests that include malicious script payloads or unusual URL parameters that could trigger the XSS.

While no specific commands are provided in the resources, common detection methods include using web application firewalls (WAFs) with rules to detect XSS payloads, or scanning HTTP request logs for suspicious input patterns.

You can also use tools like curl or wget to test for reflected XSS by sending crafted requests with script tags in URL parameters and observing if the response reflects the input unescaped.

Mitigation Strategies

The recommended immediate mitigation is to update the ICS Calendar plugin to version 12.1.1.1 or later, where the vulnerability has been fixed.

Until the update can be applied, Patchstack provides a mitigation rule that can be used to block attacks exploiting this vulnerability.

Additionally, implementing or tuning a web application firewall (WAF) to detect and block reflected XSS payloads can help reduce risk.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, potentially leading to unauthorized redirects, unwanted advertisements, or other malicious activities.

Because the vulnerability can be exploited without authentication and requires only user interaction, it poses a moderate risk to website security.

The CVSS score of 7.1 indicates a moderately dangerous issue that could be exploited in widespread attacks targeting many websites.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart