CVE-2012-1835
NUCLEIAll-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters
Title source: llmExploitation Summary
EIP tracks 4 public exploits for CVE-2012-1835. PoCs published by High-Tech Bridge SA. A Nuclei detection template is also available.
AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in the All-in-One Event Calendar WordPress plugin by injecting a script tag into the 'msg' parameter of the 'save_successful.php' endpoint. The PoC triggers an alert with the user's cookies, confirming the vulnerability.
Description
Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.
Exploits (4)
This exploit demonstrates a reflected XSS vulnerability in the All-in-One Event Calendar WordPress plugin by injecting a script tag into the 'msg' parameter of the 'save_successful.php' endpoint. The PoC triggers an alert with the user's cookies, confirming the vulnerability.
This exploit demonstrates a reflected XSS vulnerability in the All-in-One Event Calendar WordPress plugin by injecting arbitrary JavaScript via the 'button_value' parameter. The PoC uses a simple alert to display the user's cookies, proving the lack of input sanitization.
This exploit demonstrates multiple XSS vulnerabilities in the All-in-One Event Calendar WordPress plugin by injecting malicious JavaScript via unsanitized input parameters. The PoC includes URLs with script tags to execute arbitrary JavaScript in the context of the affected site.
This exploit demonstrates a reflected XSS vulnerability in the All-in-One Event Calendar WordPress plugin by injecting a malicious script via the 'title[id]' parameter. The PoC uses a simple alert to display the user's cookies, proving arbitrary JavaScript execution.