Lucene search

K
patchstackHigh-Tech Bridge SAPATCHSTACK:19AD084C9522FEBD1E5B5477E3E9B7B5
HistoryApr 11, 2012 - 12:00 a.m.

WordPress All-in-One Event Calendar Plugin 1.4 - "msg" Parameter XSS

2012-04-1100:00:00
High-Tech Bridge SA
patchstack.com
14

EPSS

0.002

Percentile

58.2%

WordPress All-in-One Event Calendar plugin’s /wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php “msg” parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based authentication credentials. Other attacks are also possible.

Solution

           Update the plugin. 

EPSS

0.002

Percentile

58.2%