CVE-2021-24943

Name of the Vulnerable Software and Affected Versions: Registrations for the Events Calendar WordPress plugin versions prior to 2.7.6

Description: The issue arises from the lack of sanitization and escaping of the event id in the /wp-admin/admin-ajax.php 'rtec send unregister link' AJAX action, which is accessible to both unauthenticated and authenticated users. This oversight leads to an unauthenticated SQL injection.

Recommendations: For versions prior to 2.7.6, update to version 2.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'rtec send unregister link' AJAX action until a patch is applied.