CVE-2012-1835

NUCLEI

All-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2012-1835. PoCs published by High-Tech Bridge SA. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in the All-in-One Event Calendar WordPress plugin by injecting a script tag into the 'msg' parameter of the 'save_successful.php' endpoint. The PoC triggers an alert with the user's cookies, confirming the vulnerability.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

Exploits (4)

exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/37077

This exploit demonstrates a reflected XSS vulnerability in the All-in-One Event Calendar WordPress plugin by injecting a script tag into the 'msg' parameter of the 'save_successful.php' endpoint. The PoC triggers an alert with the user's cookies, confirming the vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All-in-One Event Calendar plugin for WordPress 1.4 (and prior versions)
No auth needed
Prerequisites: Access to the vulnerable WordPress plugin endpoint
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/37076

This exploit demonstrates a reflected XSS vulnerability in the All-in-One Event Calendar WordPress plugin by injecting arbitrary JavaScript via the 'button_value' parameter. The PoC uses a simple alert to display the user's cookies, proving the lack of input sanitization.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All-in-One Event Calendar plugin for WordPress 1.4
No auth needed
Prerequisites: Access to the vulnerable WordPress plugin endpoint
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/37078

This exploit demonstrates multiple XSS vulnerabilities in the All-in-One Event Calendar WordPress plugin by injecting malicious JavaScript via unsanitized input parameters. The PoC includes URLs with script tags to execute arbitrary JavaScript in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All-in-One Event Calendar WordPress plugin 1.4 and prior
No auth needed
Prerequisites: Access to the vulnerable WordPress plugin
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/37075

This exploit demonstrates a reflected XSS vulnerability in the All-in-One Event Calendar WordPress plugin by injecting a malicious script via the 'title[id]' parameter. The PoC uses a simple alert to display the user's cookies, proving arbitrary JavaScript execution.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: All-in-One Event Calendar plugin for WordPress 1.4
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and active · Victim must visit the crafted URL
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Plugin All-in-One Event Calendar 1.4 - Cross-Site Scripting
MEDIUMby daffainfo

References (3)

Core 3
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/52986
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-04/0071.html

Scores

EPSS 0.0895
EPSS Percentile 94.6%

Details

CWE
CWE-79
Status published
Products (2)
timely/all-in-one_event_calendar 1.4
timely/all-in-one_event_calendar 1.5
Published Aug 14, 2012
Tracked Since Feb 18, 2026