The Availability Calendar WordPress plugin prior to 1.2.2 does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
offshorewebmaster availability calendar |