CVE-2021-24925

Name of the Vulnerable Software and Affected Versions: The Modern Events Calendar Lite WordPress plugin versions prior to 6.1.5

Description: The issue concerns a Reflected Cross-Site Scripting problem. It arises because the current month divider parameter of the "mec list load more" AJAX call is not properly sanitised and escaped before being output in the response. This AJAX call is accessible to both unauthenticated and authenticated users.

Recommendations: For versions prior to 6.1.5, update to version 6.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "mec list load more" AJAX call until a patch is applied. Avoid using the current month divider parameter in the affected AJAX endpoint until the issue is resolved.