CVE-2023-4021

Name of the Vulnerable Software and Affected Versions Modern Events Calendar lite plugin for WordPress versions up to, but not including, 7.1.0

Description The issue is related to Stored Cross-Site Scripting via Google API key and Calendar ID due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled.

Recommendations For versions up to, but not including, 7.1.0, update to version 7.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Google API key and Calendar ID fields to minimize the risk of exploitation. Additionally, enabling unfiltered html or taking other measures to ensure proper input sanitization and output escaping can help mitigate the risk.