The plugin did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. Edit (WPScanTeam) January 22nd, 2021 - Vendor Contacted via their ticket support (https://support.webnus.net/) January 23rd, 2021 - Vendor stated It’s not a security issue and a role manager plugin should be installed, escalated to WordPress Plugins Team. January 27th, 2021 - v5.16.5 released, fixing the issue
https://drive.google.com/file/d/1Cyy1Th5g1t9yXfvYGDrAFMgDP4USfv5c/view?usp=sharing