CVE-2012-1835

NUCLEI

Timely All-in-one Event Calendar - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

Exploits (4)

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/37078

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/37077

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/37075

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/37076

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Plugin All-in-One Event Calendar 1.4 - Cross-Site Scripting

MEDIUMby daffainfo

References (3)

[Exploit] http://archives.neohapsis.com/archives/bugtraq/2012-04/0071.html

[Exploit] http://www.securityfocus.com/bid/52986

[Exploit] https://www.htbridge.com/advisory/HTB23082

Scores

EPSS 0.0097

EPSS Percentile 76.5%

Classification

CWE

CWE-79

Status published

Affected Products (3)

timely/all-in-one_event_calendar

timely/all-in-one_event_calendar

n/a/n/a

Timeline

Published Aug 14, 2012

Tracked Since Feb 18, 2026