CVE-2012-1835

NUCLEI

Timely All-in-one Event Calendar - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

Exploits (4)

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/37077

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/37076

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/37078

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/37075

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Plugin All-in-One Event Calendar 1.4 - Cross-Site Scripting

MEDIUMby daffainfo

References (3)

Core 3

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/52986

Exploit x_refsource_misc

https://www.htbridge.com/advisory/HTB23082

Exploit mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2012-04/0071.html

Scores

EPSS 0.0097

EPSS Percentile 76.9%

Details

CWE

CWE-79

Status published

Products (2)

timely/all-in-one_event_calendar 1.4

timely/all-in-one_event_calendar 1.5

Published Aug 14, 2012

Tracked Since Feb 18, 2026