Does ICS Calendar have any unpatched vulnerabilities?

No. All known vulnerabilities in ICS Calendar have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is ICS Calendar compatible with WordPress 6.9.4?

According to WordPress.org data, ICS Calendar 12.0.5.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is ICS Calendar compatible with PHP 7.2+?

ICS Calendar requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is ICS Calendar updated?

ICS Calendar was last updated on Mar 11, 2026. Frequent updates are generally a positive security signal.

What is ICS Calendar's security score?

ICS Calendar has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ICS Calendar Security & Risk Analysis

wordpress.org/plugins/ics-calendar

Add the calendar you already use to Any WordPress site! Google Calendar, Microsoft 365, iCloud and more… no API keys or complicated setup required.

10K active installs v12.0.5.1 PHP 7.2+ WP 4.9+ Updated Mar 11, 2026

eventsgoogle-calendaricalendarics-feedoffice-365

A · Safe

CVEs total1

Unpatched0

Last CVEOct 26, 2023

Plugin page Download

Safety Verdict

Is ICS Calendar Safe to Use in 2026?

Generally Safe

Score 99/100

ICS Calendar has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Oct 26, 2023Updated 22d ago

Risk Assessment

The ics-calendar plugin v12.0.5.1 exhibits a generally positive security posture, with strong adherence to secure coding practices such as the exclusive use of prepared statements for SQL queries and a high percentage of properly escaped output. The absence of dangerous functions and critical/high severity taint flows further contributes to this favorable assessment. However, there are notable areas of concern that warrant attention.

The plugin's attack surface includes three AJAX handlers, with two of them lacking proper authentication checks. This presents a potential entry point for attackers to exploit functionalities that should be restricted. While the static analysis did not reveal any specific vulnerabilities related to these unprotected AJAX endpoints, their existence is a risk factor. The plugin's vulnerability history, marked by a past high-severity 'Path Traversal' vulnerability, indicates that such issues, even if currently patched, can exist and may resurface if not rigorously managed.

In conclusion, ics-calendar v12.0.5.1 demonstrates good security hygiene in many aspects, particularly concerning data handling and output sanitization. Nevertheless, the unprotected AJAX endpoints represent a significant weakness that increases the attack surface and could be exploited. The historical 'Path Traversal' vulnerability serves as a reminder that ongoing vigilance and thorough code reviews are crucial for maintaining a secure plugin.

Key Concerns

Unprotected AJAX handlers (2 out of 3)
High severity vulnerability in history (Path Traversal)

Vulnerabilities

ICS Calendar Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2023-46784high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ICS Calendar <= 10.12.0.2 - Authenticated (Contributor+) Arbitrary File Read and Server-Side Request Forgery

Oct 26, 2023 Patched in 10.12.0.3 (138d)

Code Analysis

Analyzed Mar 16, 2026

ICS Calendar Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

798 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared3 total queries

Output Escaping

99% escaped805 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

_admin_page_callback_save_settings (class-r34ics.php:2438)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

ICS Calendar Attack Surface

Entry Points4

Unprotected2

AJAX Handlers 3

authwp_ajax_r34ics_ajaxr34ics-ajax.php:85

noprivwp_ajax_r34ics_ajaxr34ics-ajax.php:86

authwp_ajax_dismiss_admin_noticevendors\persist-admin-notices-dismissal\persist-admin-notices-dismissal.php:44

Shortcodes 1

[ics_calendar] class-r34ics.php:199

WordPress Hooks 42

actionadmin_enqueue_scriptsclass-r34ics.php:193

actionadmin_menuclass-r34ics.php:196

actionadmin_initclass-r34ics.php:202

actionadmin_initclass-r34ics.php:205

actionadmin_noticesclass-r34ics.php:206

actioninitclass-r34ics.php:209

actionadmin_initclass-r34ics.php:212

actioninitclass-r34ics.php:215

actioninitclass-r34ics.php:218

filterplugin_action_links_ics-calendar/ics-calendar.phpclass-r34ics.php:227

filterquery_varsclass-r34ics.php:230

actionwp_enqueue_scriptsclass-r34ics.php:233

actionwp_enqueue_scriptsclass-r34ics.php:237

actionpost_updatedclass-r34ics.php:240

actiontemplate_redirectclass-r34ics.php:241

filterhttp_request_host_is_externalclass-r34ics.php:244

actionr34ics_display_calendar_after_render_templateclass-r34ics.php:247

actionr34ics_display_calendar_after_wrapperclass-r34ics.php:248

actionr34ics_display_calendar_before_render_templateclass-r34ics.php:249

actionr34ics_display_calendar_before_wrapperclass-r34ics.php:250

actionr34ics_display_calendar_render_templateclass-r34ics.php:251

filterr34ics_calendar_classesclass-r34ics.php:254

filterr34ics_display_add_calendar_buttonclass-r34ics.php:255

filterr34ics_display_calendar_exclude_eventclass-r34ics.php:256

filterr34ics_display_calendar_filter_ics_dataclass-r34ics.php:1071

actionmedia_buttonsclass-r34ics.php:1178

actionadmin_print_footer_scriptsclass-r34ics.php:1190

filterr34ics_display_calendar_preprocess_raw_feedclass-r34ics.php:1553

filterr34ics_display_calendar_preprocess_raw_feedclass-r34ics.php:1556

actioncustomize_registerclass-r34ics.php:1586

filtersafe_style_cssclass-r34ics.php:1871

filterhttp_allowed_safe_portsclass-r34ics.php:2971

actionwp_footerfunctions.php:2195

actionplugins_loadedics-calendar.php:67

filterload_textdomain_mofileics-calendar.php:84

actionadmin_initics-calendar.php:125

actionupdate_option_start_of_weekics-calendar.php:173

actionupdate_option_timezone_stringics-calendar.php:174

actionshutdownics-calendar.php:178

filterwp_plugin_check_ignore_directoriesics-calendar.php:182

actionadmin_enqueue_scriptsvendors\persist-admin-notices-dismissal\persist-admin-notices-dismissal.php:43

filterpand_dismiss_notice_js_urlvendors\persist-admin-notices-dismissal\persist-admin-notices-dismissal.php:55

Maintenance & Trust

ICS Calendar Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version7.2

Downloads1.7M

Community Trust

Rating98/100

Number of ratings71

Active installs10K

Alternatives

ICS Calendar Alternatives

Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar

booking-manager

Showing events listing from .ics feeds or sync bookings from different sources to your website

5K 4 CVEs

Simple Calendar – Google Calendar Plugin

google-calendar-events

Add Google Calendar events to your WordPress site in minutes. Beautiful calendar displays. Mobile responsive.

50K 7 CVEs

Events Calendar for Google

events-calendar-for-google

Events Calendar for Google implements google calender to your wordpress website using different style and layouts. Get connected to your audience usin …

2K 1 CVE

Simple Google Calendar Outlook Events Widget

simple-google-icalendar-widget

Block widget that displays events from a public google calendar or iCal file.

1K 1 CVE

Hydrogen Calendar Embeds

hydrogen-calendar-embeds

100

The free, simple, lightweight way to embed beautiful, fully customizable ICS calendars into your WordPress site.

500 No CVEs

Developer Profile

ICS Calendar Developer Profile

Room 34 Creative Services, LLC

10 plugins · 14K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

138 days

View full developer profile

Detection Fingerprints

How We Detect ICS Calendar

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ics-calendar/assets/css/frontend.css/wp-content/plugins/ics-calendar/assets/js/frontend.js/wp-content/plugins/ics-calendar/assets/css/admin.css/wp-content/plugins/ics-calendar/assets/js/admin.js/wp-content/plugins/ics-calendar/assets/js/vendor/moment.min.js/wp-content/plugins/ics-calendar/assets/js/vendor/moment-timezone-with-data.min.js/wp-content/plugins/ics-calendar/assets/js/vendor/ical.js

Script Paths

/wp-content/plugins/ics-calendar/assets/js/frontend.js/wp-content/plugins/ics-calendar/assets/js/admin.js/wp-content/plugins/ics-calendar/assets/js/vendor/moment.min.js/wp-content/plugins/ics-calendar/assets/js/vendor/moment-timezone-with-data.min.js/wp-content/plugins/ics-calendar/assets/js/vendor/ical.js

Version Parameters

ics-calendar/assets/css/frontend.css?ver=ics-calendar/assets/js/frontend.js?ver=ics-calendar/assets/css/admin.css?ver=ics-calendar/assets/js/admin.js?ver=ics-calendar/assets/js/vendor/moment.min.js?ver=ics-calendar/assets/js/vendor/moment-timezone-with-data.min.js?ver=ics-calendar/assets/js/vendor/ical.js?ver=

HTML / DOM Fingerprints

CSS Classes

ics-calendar-wrapperics-calendar-eventics-calendar-event-titleics-calendar-event-dateics-calendar-event-timer34ics-calendarr34ics-list-itemr34ics-event-title+2 more

HTML Comments

Data Attributes

data-ics-calendardata-r34ics-settings

JS Globals

r34ics_frontend_paramsR34ICS_Admin_Settings

Shortcode Output

<div class="ics-calendar-wrapper"><div id="r34ics-calendar-<div class="r34ics-calendar<div class="r34ics-list-item

FAQ