CVE-2012-1835

Name of the Vulnerable Software and Affected Versions All-in-One Event Calendar plugin versions 1.4 and 1.5

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters in different PHP files, including title in "app/view/agenda-widget-form.php", args, title, before title, or after title in "app/view/agenda-widget.php", button value in "app/view/box publish button.php", or msg in "/app/view/save successful.php".

Recommendations For All-in-One Event Calendar plugin version 1.4, update to a version that fixes the XSS vulnerabilities. For All-in-One Event Calendar plugin version 1.5, update to a version that fixes the XSS vulnerabilities. As a temporary workaround, consider restricting access to the parameters title, args, before title, after title, button value, and msg in the affected PHP files until a patch is available.