CVE-2024-1274

Name of the Vulnerable Software and Affected Versions My Calendar WordPress plugin versions prior to 3.4.24

Description The issue allows users with a role as low as Subscriber to perform Cross-Site Scripting attacks, depending on the permissions set by the admin. This is due to the plugin not sanitizing and escaping some parameters.

Recommendations For versions prior to 3.4.24, update to version 3.4.24 or later to resolve the issue. As a temporary workaround, consider restricting the permissions of the Subscriber role to minimize the risk of exploitation.