A vulnerability, which was classified as problematic, has been found in room34 ICS Calendar Plugin up to 12.0.9 on WordPress. Affected by this issue is some unknown functionality of the component Shortcode Handler. This manipulation of the argument htmltagtitle causes cross site scripting.

This vulnerability is registered as CVE-2026-9838. Remote exploitation of the attack is possible. No exploit is available.