High-Tech Bridge SA Security Research Lab has discovered vulnerability in WP Events Calendar, which can be exploited to perform cross-site scripting attacks.
1) Cross-site scripting (XSS) vulnerability in WP Events Calendar
Input passed via the "EC_id" GET parameter to /wp-admin/admin.php (when "page" is set to "events-calendar" and "EC_action" is set to "edit") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
See also SA45717