During a recent security audit I found multiple vulnerabilities in the Wordpress plugin “all-in-one-event-calendar”. There is a lite version provided through the Wordpress site (http://wordpress.org/plugins/all-in-one-event-calendar/), and a standard version provided through a third party site (http://time.ly/). Both versions were tested and are vulnerable to the reported issues.
PS: There is also a paid pro version. This was not tested but it’s likely also vulnerable to the mentioned issues.Read more