Thursday, April 12, 2012

HTB23082: All-in-One Event Calendar Plugin for WordPress multiple XSS vulnerabilities

All-In-One Event Calendar (WordPress plugin) version 1.4 suffers from multiple cross-site scripting (XSS) vulnerabilities:
Input passed via the "title" GET parameter to "wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php", "args", "title", "before_title", "after_title" GET parameters to "wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php", "button_value" GET parameter to "wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php", "msg" GET parameter to "wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php" scripts are not properly sanitised before being returned to the user.

Vulnerability ID: HTB23082
Public Disclosure: April 11, 2012
Vulnerabilities Type: Cross-Site Scripting (XSS)
Risk level: Medium

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)