CVE-2021-24604

Name of the Vulnerable Software and Affected Versions Availability Calendar WordPress plugin versions prior to 1.2.2

Description The issue allows high privilege users to perform Cross-Site Scripting attacks due to the lack of sanitization or escaping of Category Names before outputting them in pages or posts where the associated shortcode is embedded. This is possible even when the unfiltered html is disallowed.

Recommendations For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Category Names feature in the Availability Calendar WordPress plugin until a patch is available.