No, its common for security researchers to indicate what version # of vendor code the exposure was applicable to at the time the research was published.
The issue is not fixed with the most recent version of the plugin.
The obligation is on the vendor to patch and release new of the fix and until they do, you can assume its exploitable or retest it yourself by following the instructions in the article.
The vendor does not state, I had not stated, NO ONE BUT YOU have said some one stated. But no one has stated 1.8.2 is not vulnerable.
So were left with your factually incorrect post.
So if you might be so kind as to please restate it or remove it. As your your post (a few days ago) has real potential to confuse or even hurt peoples ability to know they are vulnerable with ALL versions of the plugin from rev 1.4 to the current rev. 1.8.2
Your doing no one a valuable service by inadvertently stating wrong information when people have worked their buts off to provide real value.
@eded…ded, seriously? Let me spell it out for you:
Your post contains a link within the references portion of that original post:  High-Tech Bridge Advisory HTB23082. That link provides the following:
High-Tech Bridge > Research > Security Advisories > HTB23082 Security Advisory
Multiple XSS vulnerabilities in All-in-One Event Calendar Plugin for WordPress
Advisory ID: HTB23082
Product: All-in-One Event Calendar Plugin for WordPress
Vendor: The Seed Studio
Vulnerable Versions: 1.4, 1.5 and probably prior
Tested Version: 1.4
Vendor Notification: March 21, 2012
Public Disclosure: April 11, 2012
Latest Update: April 13, 2012
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2012-1835
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Risk Level: Medium
Discovered and Provided: High-Tech Bridge Security Research Lab
Scroll further down on that link and you’ll see:
Upgrade to version 1.8.2
So, next time you think about flapping your gums, try and stay updated with the references in your own post.
And, if you still find that risk continues to exist, do us all a favor, fix your references first, then notify the source of the “wrong” information before you confuse the people who actually check the references posted.
Could we dispense with the testosterone attacks and please get the facts out?
@edededededededed Thank you for posting your warning, thanks to you I have deactivated the plugin which, though very nice, I have to say, you say could expose my site to attack.
@justinfyi Whatever Edededededededed may have posted, all you needed to do is politely point out that the Vendor had issued an update that addressed the vulnerability.
@edededededededed Perhaps your response could have been put less aggressively, however, I do agree that the post did create a false impression, that version 1.8.2 of the plugin is now ‘safe’.
At the end of all that, I am still uncertain as to whether The Seed have addressed the issue; should this not be reported to the WordPress folk? Is there a workaround?
Anyway, here’s wishing you both a very Happy and Chilled New Year!
cc. The Seed
- The topic ‘exploitable XSS issues’ is closed to new replies.