Description
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
Remediation
References
Related Vulnerabilities
WordPress 2.0.9 Multiple Vulnerabilities (2.0 - 2.0.9)
WordPress Plugin WP eCommerce 'cs1' Parameter SQL Injection (3.8.6)
Drupal Core 8.x Multiple Vulnerabilities (8.0.0 - 8.4.4)
WordPress Plugin WordPress Ad Widget Local File Inclusion (2.11.0)
WordPress Plugin Another WordPress Classifieds Arbitrary File Upload (3.3.2)