Title: exploitable XSS issues Last modified: September 2, 2016 --- # exploitable XSS issues * [JustinFYI](https://wordpress.org/support/users/justinfyi/) * (@justinfyi) * [13 years, 6 months ago](https://wordpress.org/support/topic/exploitable-xss-issues/) * [@edededededededed](https://wordpress.org/support/users/edededededededed/): According to the reference you posted, the vulnerable versions are 1.4, 1.5 and probably prior. And the solution states that you should update to ver. 1.8.2. Viewing 5 replies - 1 through 5 (of 5 total) * [Edededededededed](https://wordpress.org/support/users/edededededededed/) * (@edededededededed) * [13 years, 6 months ago](https://wordpress.org/support/topic/exploitable-xss-issues/#post-7730251) * No, its common for security researchers to indicate what version # of vendor code the exposure was applicable to at the time the research was published. * The issue is not fixed with the most recent version of the plugin. * The obligation is on the vendor to patch and release new of the fix and until they do, you can assume its exploitable or retest it yourself by following the instructions in the article. * Regards Edededededededed * [Edededededededed](https://wordpress.org/support/users/edededededededed/) * (@edededededededed) * [13 years, 6 months ago](https://wordpress.org/support/topic/exploitable-xss-issues/#post-7730268) * [@justin](https://wordpress.org/support/users/justin/) FYI, The vendor does not state, I had not stated, NO ONE BUT YOU have said some one stated. But no one has stated 1.8.2 is not vulnerable. * So were left with your factually incorrect post. * So if you might be so kind as to please restate it or remove it. As your your post (a few days ago) has real potential to confuse or even hurt peoples ability to know they are vulnerable with ALL versions of the plugin from rev 1.4 to the current rev. 1.8.2 * Your doing no one a valuable service by inadvertently stating wrong information when people have worked their buts off to provide real value. * Thread Starter [JustinFYI](https://wordpress.org/support/users/justinfyi/) * (@justinfyi) * [13 years, 4 months ago](https://wordpress.org/support/topic/exploitable-xss-issues/#post-7730277) * [@eded](https://wordpress.org/support/users/eded/)…ded, seriously? Let me spell it out for you: * Your [post](http://wordpress.org/support/topic/6-exploitable-xss-issues-from-version-14-to-182) contains a link within the references portion of that original post: [1] High- Tech Bridge Advisory HTB23082. That link provides the following: * ==================================================================== High-Tech Bridge > Research > Security Advisories > HTB23082 Security Advisory * Multiple XSS vulnerabilities in All-in-One Event Calendar Plugin for WordPress * Advisory ID: HTB23082 Product: All-in-One Event Calendar Plugin for WordPress Vendor: The Seed Studio Vulnerable Versions: 1.4, 1.5 and probably prior Tested Version: 1.4 Vendor Notification: March 21, 2012 Public Disclosure: April 11, 2012 **Latest Update: April 13, 2012** Vulnerability Type: Cross-Site Scripting[ CWE-79] CVE Reference: CVE-2012-1835 CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C: N/I:P/A:N) Solution Status: **Fixed by Vendor** Risk Level: Medium [Medium Risk] Discovered and Provided: High-Tech Bridge Security Research Lab * ==================================================================== Scroll further down on that link and you’ll see: * **Solution: Upgrade to version 1.8.2 * So, next time you think about flapping your gums, try and stay updated with the references in your own post. * And, if you still find that risk continues to exist, do us all a favor, fix your references first, then notify the source of the “wrong” information before you confuse the people who actually check the references posted. * [GeaVox](https://wordpress.org/support/users/geavox/) * (@geavox) * [13 years, 4 months ago](https://wordpress.org/support/topic/exploitable-xss-issues/#post-7730278) * Could we dispense with the testosterone attacks and please get the facts out? * [@edededededededed](https://wordpress.org/support/users/edededededededed/) Thank you for posting your warning, thanks to you I have deactivated the plugin which, though very nice, I have to say, you say could expose my site to attack. * [@justinfyi](https://wordpress.org/support/users/justinfyi/) Whatever Edededededededed may have posted, all you needed to do is politely point out that the Vendor had issued an update that addressed the vulnerability. * [@edededededededed](https://wordpress.org/support/users/edededededededed/) Perhaps your response could have been put less aggressively, however, I do agree that the post did create a false impression, that version 1.8.2 of the plugin is now‘ safe’. * At the end of all that, I am still uncertain as to whether The Seed have addressed the issue; should this not be reported to the WordPress folk? Is there a workaround? * Anyway, here’s wishing you both a very Happy and Chilled New Year! Gea xx * cc. The Seed * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [13 years, 4 months ago](https://wordpress.org/support/topic/exploitable-xss-issues/#post-7730279) * Please address all details regarding unsafe plugins to plugins [at] wordpress[ dot] org. Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘exploitable XSS issues’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/all-in-one-event-calendar.svg) * [Timely All-in-One Events Calendar](https://wordpress.org/plugins/all-in-one-event-calendar/) * [Support Threads](https://wordpress.org/support/plugin/all-in-one-event-calendar/) * [Active Topics](https://wordpress.org/support/plugin/all-in-one-event-calendar/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/all-in-one-event-calendar/unresolved/) * [Reviews](https://wordpress.org/support/plugin/all-in-one-event-calendar/reviews/) * 5 replies * 4 participants * Last reply from: [esmi](https://wordpress.org/support/users/esmi/) * Last activity: [13 years, 4 months ago](https://wordpress.org/support/topic/exploitable-xss-issues/#post-7730279)