WordPress Plugin Vulnerabilities

All-in-One Event Calendar 1.9 - wp-admin/post-new.php Multiple Parameter XSS

Description

The All-in-One Event Calendar WordPress plugin was affected by a wp-admin/post-new.php Multiple Parameter XSS security vulnerability.

Affects Plugins

Plugin icon
all-in-one-event-calendar
Fixed in 1.10

References

URL
https://firefart.at/post/sql-injection-and-xss-in-all-in-one-event-calendar-wordpress-plugin/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Verified
No
WPVDB ID
2ff8446e-4277-407c-b43d-4146d5e3cfdb

Timeline

Publicly Published
2014-08-01 (about 11 years ago)
Added
2014-08-01 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2024-04-30
Title
Min and Max Purchase for WooCommerce <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-09-25
Title
Pretty Google Calendar < 1.6.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via pretty_google_calendar shortcode
Published
2022-05-18
Title
Carousel CK <= 1.1.0 - Admin+ Stored Cross-Site Scripting
Published
2022-12-23
Title
RSSImport <= 4.6.1 - Contributor+ Stored XSS via Shortcode
Published
2025-09-10
Title
Countdown Timer for Elementor <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'countdown_label'